Governments to enterprises: Improve your router security hygiene

Wait 5 sec.

Global security agencies say enterprises must clean up their act as Russian government-sponsored attackers exploit weaknesses in routers.According to a new multinational cybersecurity advisory, cyberattackers continue to exploit inadequately-protected and/or poorly-configured network devices via age-old tactics. Threat actors scan for weakened devices, typically routers, allowing them to “opportunistically” compromise critical infrastructure networks, according to the bulletin from 19 federal agencies across North America, the UK, Europe, and Australia.They then transfer configuration files to servers they control. These files, containing plaintext or weakly-encoded information like credentials, or details about the organization’s network, hold most of the potential value, noted Seva Ioussoufovitch, a senior research analyst at Info-Tech Research Group.“It might sound simple, but this tactic has been exploited for well over a decade, and is clearly still effective,” he said.How SNMP attacks workTo begin their attack, state-sponsored cybercriminals send requests via the standard Simple Network Management Protocol (SNMP) framework that supports device-network information exchange, which allows them to scan for weak, insecure devices still using older SNMPv1 or SNMPv2 protocols that accept common or default “community strings” for authentication. These strings are typically shared passwords, with predictable, public defaults that might have been left untouched by admins. Additionally, many of these devices may remain in their basic router configurations.Using spoofed IP addresses, threat actors instruct SNMP agents running on these devices to copy their configurations to a file (typically “config.bkp” or “output.txt”), then transfer that file to virtual private servers (VPSs) that they control. In addition, cybercriminals are exploiting common vulnerabilities and exposures (CVEs) in Cisco devices, as well as in the Cisco’s Smart Install (SMI) tool.Actors have exploited, at the very least, CVE-2018-0171 (published in 2018) and CVE-2008-4128 (published in 2008), according to the bulletin. Both of these targeted Cisco routers, giving remote, unauthenticated attackers the ability to execute arbitrary code, take unauthorized actions, or cause a denial of service (DoS).Notable groups using this method are known to the security community as “Berserk Bear,” “Crouching Yeti,” “Dragonfly,” “Energetic Bear,” “Ghost Blizzard,” and “Static Tundra.” According to the bulletin, the industries most vulnerable to Russian state-sponsored cyber actors include communications, energy, financial services, defense industrial bases, healthcare and public health facilities, and government services and facilities.A set-and-forget approach, even in 2026The problem with router hygiene is that devices are susceptible to a “confluence of typical enterprise shortcomings” when it comes to operationalizing security, noted Info-Tech’s Ioussoufovitch.“Many organizations still take a set-it-and-forget-it approach to routers, and don’t track them like they would an endpoint,” he said.Compounding this risk is the fact that routers are typically critical to business continuity, which increases the necessity of keeping their security up-to-date. To make things worse, in some cases, it might also be unclear who’s in charge of device security. “Security points to the network team and they’re pointing right back at security,” Ioussoufovitch noted.As well, many organizations continue to rely on legacy hardware that may be unsupported, but that the business is unwilling to replace.Ultimately, Ioussoufovitch said, “network security just doesn’t seem to be receiving the same amount of attention as the usual areas of focus (like endpoints).”Recommendation: Move away from older protocols and devices immediatelySpecifically, the agencies urged security teams and network admins to upgrade to SNMPv3, enforce secure passwords, disable Cisco Smart Install, and block SNMP and common file transfer methods “at the firewall.”Enterprises should immediately disable SNMPv1 and SNMPv2, which are “legacy protocols and should no longer be needed on current devices.” In instances where they are still deemed necessary, shift from default settings to grant read-only access (no read-write access).SNMPv3 should be employed with authPriv configured to the “most modern encryption standard,” the bulletin advised. SNMPv3 adds strong authentication and data encryption unavailable in previous versions, and has more securely encoded parameters to authenticate and encrypt data.“Moving to SNMPv3, which offers stronger authentication and encryption, is a clear, actionable step security teams need to prioritize now,” Ioussoufovitch agreed.The government agencies urged enterprises to use strong, unique passwords for local accounts on network devices, and to monitor for unusual credentials that do not match standard naming conventions, or misconfiguration in logs or intrusion detection systems (IDS). Networks should support multi-factor authentication (MFA), and admins should enforce allow lists for management protocols like SNMP.Additionally, enterprises should update network device software, retire end-of-life devices, and disable Cisco Smart Install on all machines once initial configuration is complete, as this introduces serious security issues when it inadvertently remains enabled, the agencies said.Network security must improve across the boardThe advisory is a signal that enterprises may be underinvesting in network security, noted Ioussoufovitch. Admins and security leaders should be asking these questions:Do they have decent network detection and response capabilities in place?Are they applying analytics and anomaly detection to network traffic patterns?Have they incorporated micro-segmentation across the enterprise environment to limit risks posed by any individual router?“Getting at least some of these proactive measures in place, while taking a more disciplined approach to the tracking and replacement of EOL devices, can help security and network teams finally start making some headway against these types of threats,” said Ioussoufovitch.David Shipley of Beauceron Security agreed that enterprise networking equipment security must be improved, but said that’s more on the vendors than the critical infrastructure providers. Vendors should be shipping products that are secure by default; customers shouldn’t have to be going back and turning these features on.He added that it would be great to see Salt Typhoon-proof levels of device security and authentication. “Right now, it’s been trivial for them to pwn networking gear,” he said.While the guidance is important and will help, Shipley said, “building better and shipping secure by default would do even more.”