CERT Alert (TA18-106A): Russian Cyber Attack
Table of Contents
On April 16, 2018, the United States Computer Emergency Readiness Team
(CERT) issued CERT Alert (TA18-106A), "Russian State-Sponsored Cyber Actors
Targeting Network Infrastructure Devices".
We encourage all of our customers to read this alert and put actions into
place to discover and prevent possible intrusions.
One of the major vulnerabilities available to these attackers of network
infrastructure devices is through the use of SNMPv1 and SNMPv2c agents
implemented in those devices. Implementation of SNMPv3 with security will
prevent SNMP attacks of this kind.
SNMP Research provides tools for end-users that can search your network
for devices that still use unsecure SNMPv1 and SNMPv2c
(SNMP Security Analyzer)
and help you configure SNMPv3 agents for security
(Simple PolicyPro®).
SNMP Research also provides toolkits to help manufacturers build
secure SNMPv3 agents (EMANATE®) and SNMPv3 management applications (BRASS™).
For more information, please send email inquiries to
info@snmp.com.
This section explores the implications of the Technical Alert (TA)
for creators and users of network infrastructure devices—routers,
switches, firewalls, etc.—and other network elements that are
manageable with SNMP (collectively, "network devices").
For page number references, please refer to the PDF version of the
TA above.
Who is at risk?
- "government and private-sector organizations, critical
infrastructure providers, and the Internet service providers
(ISPs) supporting these sectors"
(page 1, Overview, paragraph 1)
- "public-sector organizations, private-sector corporations,
and small office home office (SOHO) customers"
(page 1, Overview, paragraph 3)
- any individual or organization using network devices containing
"legacy or weak protocols"; e.g., SNMPv1 and SNMPv2c
(page 2, paragraph 2)
What tactics are being used?
- gather information over time: "identify vulnerable devices; extract device configurations; map internal network architectures; harvest login credentials" (page 2, first four bullets)
- "spoof the source address of the SNMP UDP datagram as coming from inside the targeted network" (page 3, last paragraph)
- access devices while pretending to be an authorized user: "masquerade is the primary method by which these cyber actors exploit
targeted network devices" (page 4, Stage 4: Exploitation, paragraph 1)
- "execute privileged commands [to] modify device configurations, create...tunnels, or mirror or redirect network traffic through other network infrastructure they control." (page 4, Stage 6: Command and Control)
What should be done for SNMP?
"Blocking external SNMP at the network boundary" (page 3, last paragraph) is an inadequate defense against cyber actors.
Individual devices should be "hardened before installation"
(page 2, next-to-last bullet). Here are some concrete steps that
should be taken to defend against attack.
- "Disable...SNMPv1 or v2c. Where possible, use...SNMPv3." (page 7, bullet 2) And, "configuration data should be encrypted between sender and receiver." (page 11, paragraph 1)
- Before you can disable SNMPv1 and SNMPv2c in your network, you need to know which agents are responding to these unsecure protocols. SNMP Research's SNMP Security Analyzer scans the network to find SNMPv1/v2c agents and other vulnerabilities.
- All of SNMP Research's agent products fully support SNMPv3 with the strongest authentication and encryption features available in the industry. End-users should consider CIAgent® as a drop-in replacement for existing SNMPv1/v2c agents on UNIX and Windows systems.
- To upgrade legacy SNMPv1/v2c manager products on UNIX and Windows to SNMPv3, SNMP Research offers the Distributed SNMP Security Pack™ (DSSP) to end-users and application vendors.
- "DHS strongly advises owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3." (page 7, bullet 2)
- All of SNMP Research's agent products fully support SNMPv3. Manufacturers should consider replacing their existing agent framework with EMANATE®, EMANATE®/Lite, or EMANATE® ONE.
- Manufacturers that provide an SNMP-based element manager application with their hardware products, and Enterprise management companies that produce general-purpose SNMP management applications should consider replacing their existing manager framework with SNMP Research's BRASS™ toolkit on UNIX and Windows.
- "Immediately change default passwords and enforce a strong password policy." (page 7, bullet 3)
- SNMP Research's Simple PolicyPro® application was created specifically for this purpose. When SNMPv3 passwords need to be changed, Administrators use EnterPol's Simple PolicyPro to distribute those password changes throughout the enterprise with a single click.
- It should be noted that some of the concerns and suggestions raised in the TA apply only to other protocols in the document, because they are mitigated by the design of SNMPv3. For example, "Encourage the use of authentication services that do not depend on passwords," (page 7, bullet 6) and "Do not reuse the same password across multiple devices." (page 7, bullet 3) SNMPv3 uses two private keys to communicate with each device—one for authentication, and one for encryption. The keys configured on each device are unique, so "credential-harvesting activities [by] cyber actors" (page 4, Stage 4: Exploitation, paragraph 1) is unproductive. However, an operator can enter the same plaintext passwords or passphrases into the SNMPv3 manager to access all devices with SNMPv3 safely. SNMP Research's SNMP Security Analyzer checks devices for duplicate SNMP Engine IDs that would degrade the protections provided by SNMPv3.
- "Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 management information base (MIB) whitelisting using SNMP views." (from external document TA17-156A referenced on page 8, bullet 1)
- All of SNMP Research's Agent Products fully support SNMPv3, including the View-based Access Control Model (VACM) defined by RFC 3415 with full remote read-write capabilities. This is the feature that allows whitelisting of SNMP views as described in the external document.
- SNMP Research's SNMPv3 Configuration Wizard™ can display the MIB views enforced by any single SNMPv3 agent and enable the operator to configure new views and changes to existing views.
- SNMP Research's Simple PolicyPro® configures MIB views in many SNMPv3 agents simultaneously as part of a policy decision for the entire enterprise. For example, an enterprise-wide security policy could address the OIDs listed in Appendix C: SNMP Queries (pages 12-13). It could selectively include (whitelist) requests for the OID prefix 1.3.6.1.4.1.9.2.1.55 so the transfer destination can only be set to a trusted IP address within the enterprise. It could also exclude (blacklist) the entire 1.3.6.1.4.1.9.9.96 subtree.
For further information about this alert or SNMP Research's products,
please contact SNMP Research, Inc.
SNMP Research Incorporated
3001 Kimberlin Heights Rd.
Knoxville, TN 37920
U.S.A.
Tel: +1 865 573 1434
Fax: +1 865 579 6565
E-mail: info@snmp.com
www.snmp.com
