A Russian state-sponsored cyber espionage group designated as Static Tundra has been actively exploiting a seven-year-old vulnerability in Cisco networking units to steal configuration information and set up persistent entry throughout important infrastructure networks.
The subtle menace actor, linked to Russia’s Federal Safety Service (FSB) Middle 16 unit, has been concentrating on unpatched and end-of-life community units since 2015, with operations considerably escalating following the Russia-Ukraine battle.
The marketing campaign facilities round CVE-2018-0171, a beforehand disclosed vulnerability in Cisco IOS software program’s Good Set up characteristic that enables unauthenticated distant attackers to execute arbitrary code or set off denial-of-service situations.
Regardless of Cisco issuing patches in 2018, Static Tundra continues to seek out success exploiting organizations which have failed to use safety updates or are working legacy units past their assist lifecycle.
Static Tundra’s victims span telecommunications, increased schooling, and manufacturing sectors throughout North America, Asia, Africa, and Europe.
The group demonstrates exceptional persistence, sustaining entry to compromised environments for a number of years with out detection.
Cisco Talos analysts recognized the menace cluster by way of ongoing evaluation of refined community system compromises, noting the group’s superior information of community infrastructure and deployment of bespoke exploitation instruments.
Assault Methodology and Configuration Exfiltration
Static Tundra employs a methodical method to configuration theft, starting with automated exploitation of the Good Set up vulnerability towards predetermined goal lists doubtless gathered from public scanning companies like Shodan or Censys.
Upon profitable exploitation, the attackers instantly modify the working configuration to allow native Trivial File Switch Protocol (TFTP) companies utilizing the command:-
tftp-server nvram:startup-config
This command creates a brief TFTP server that enables Static Tundra to determine a secondary connection and retrieve the system’s startup configuration file.
The extracted configurations usually comprise delicate credentials and Easy Community Administration Protocol (SNMP) neighborhood strings that facilitate deeper community penetration.
The menace actors leverage these compromised credentials to pivot laterally by way of community environments, utilizing SNMP protocols with spoofed supply addresses to bypass entry management lists.
Static Tundra has been noticed creating privileged native consumer accounts and establishing Generic Routing Encapsulation tunnels to redirect and seize community visitors of intelligence worth, demonstrating their deal with long-term espionage slightly than quick monetary achieve.
Increase your SOC and assist your workforce shield your online business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
