Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Network Networking Security

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com) 22

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.
This discussion has been archived. No new comments can be posted.

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks

Comments Filter:
  • Pffft. (Score:4, Funny)

    by fahrbot-bot ( 874524 ) on Thursday April 12, 2018 @02:53PM (#56426847)

    Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks

    I'll panic when they get around to the bigger stuff, like band-saws and drill-presses.

  • by ctilsie242 ( 4841247 ) on Thursday April 12, 2018 @02:55PM (#56426865)

    I'm absolutely not surprised by this. Routers are computers too, with storage (albeit limited), RAM, CPU, and other I/O. If someone pwns a router, there is a lot they can do with it, be it having a staging ground for attacks to dropping packets at random to cause consternation on the target's network, to even MITM-ing internal HTTP web traffic and adding malware payloads.

    How to fix? Just as with anything security related, there is no magic bullet. Router makers are going to have to go back to the drawing board when it comes to security to keep their good names, ensuring unauthorized modifications of the router OS are protected against. Companies should start looking at policies like having critical internal machines have OS firewalls in addition to network firewalling and segmenting.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The big pervasive problem with anything electronic today is that there is no practical way to reliably restore a clean slate configuration. Once there is a possibility of an infection, you have to basically buy a new one and hope it's not infected right from the factory. Computers and routers and printers and all the others are just not designed to be put in a known state. Firmware update, you say? So you did that and it said it worked. Do you believe it or did it modify the firmware on the fly?

      • lots of routers have special debugging pins for that purpose (often JTAG, sometime serial port)
        okay, almost never are these pins available from the outside, and very frequently you'll have to solder your own header on the board.

        but for the kind of people that frequent /. it is not impossible to directly flash a known firmware to the router bypassing whatever is there.

        sometime it would be possible to boot the router into an alternative mode (from the boot loader in rom, not from the currently flashed firmwar

        • also, while i'm on the subject of forcing a firmware update, are socketed eeprom still a thing on expensive hardware ?

          no matter what malicious firmware is deployed, it won't be able to resist a hardware eeprom programmer.

  • by Anonymous Coward

    More press releases by "computer security" imperial textile rackets as relayed by "bleepingcomputer". This is not news for nerds, and it really doesn't matter at all. But it's about all msmash is capable of, that mastermind "hacker".

  • by Anonymous Coward

    via their support of Trump. Why would we trust them on this issue when they made Trump our ruler? And, why are their programmers not in prison for destroying our election?

  • Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?
    Have the desktop OS and AV able to scan the router from the network?
    • Re:How to detect? (Score:4, Interesting)

      by skids ( 119237 ) on Thursday April 12, 2018 @10:14PM (#56428791) Homepage

      Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?

      Sure, but really smart advanced threats could do very hard to detect things like encoding CNC signals in packet latency or preferential ordering between streams. Basically you either have to discover and dissect an attacker's inserts because they screw up and tip you off that something is wrong, or do something stupid like sell their inserts on the dark web before they are done using them themselves.

      Have the desktop OS and AV able to scan the router from the network?

      If you know what you are doing, you limit control-plane communication on your more important nodes tightly. Plus desktop OS and AV don't usually have a rich signature set for anything but Intel processors. Also the only way to really "scan" a running router's software is to snoop the busses to get snapshots of the RAM... which given the hardware is not commodity kit, is not usually done. No $80k/year net tech is going to try to attach JTAG or bus analyzers to a $20,000 production router blade. Sure you can ask the router to dump RAM (or ROM, but since routers tend to stay up 24/7 RAM-only inserts are probably pretty common) if you can find the vendor's secret commands, but then it could just lie to you. Or crash because the debug command set isn't QAd nearly as well as the provisioning command set.

      The problem will get worse: these devices are getting more and more features that interact with payload traffic... the attack surface is expanding every year. And, with the push to SDN and zero-touch deployment features, more of the guts are being exposed to management stations, which are not notorious for being well secured let me tell you.

      (BTW, pro tip: giving a nessus station access to read the router config files live off the infrastructure devices is putting an awful lot of trust in the integrity of a workstation running a giant amount of hastily cobbled code. Nessus has an offline mode for router config file analysis. Strip your crypts and set up a secure rsync from your config backup server.)

      • by AHuxley ( 892839 )
        Not good news long term for all the trust people put into a powerful and fast VPN router?
        Also think of the end of the consumer network. An ISP provided always on "router" that has to be used in many parts of the world.

        Thats needs some powerful AV company to think about.
        Maybe the next generation of AV comes with their own hardware to place along the network?

        Thanks.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...