Recently the DHS, FBI, and the UK’s NCSC took the very unusual step of issuing a joint alert to warn of Russian state-sponsored attacks against network infrastructure such as routers, switches, firewalls, and IPS devices. The alert revealed that the campaign is widespread, targeting both government and private sector networks, and even SOHO devices. This was followed up by information about the VPNFilter malware that compromised hundreds of thousands of network equipment and network-attached storage devices. This disclosure has tremendous implications for cybersecurity going forward that many may not fully appreciate.
Infrastructure Attacks Go Mainstream
First, this is the moment that attacks on internal network infrastructure really went mainstream. A nation-state sponsored attack may not initially feel mainstream, but keep in mind that this is a very widespread attack. Nation-states don’t do broad, global operations if the technique is a secret. Secondly, there isn’t anything that limits the same style of attack to a nation-state. Scanning for exposed, vulnerable services and brute forcing common default passwords is standard procedure for any opportunistic or criminal attacker. The “how” of the attack is very traditional – the new part is what is being attacked.
High Value Devices With Low Level Security
Organizations also have to understand what compromised infrastructure means from both an attacker’s and defender’s perspective. The attacker’s perspective is probably the most obvious. Compromising a network device could allow an attacker to copy, reroute, and block traffic on demand. Or in other words, attackers could steal data, steal credentials, gain man-in-the-middle position, and DoS the network and services. This alone would make network and infrastructure devices some of the most high-value devices in any network. Yet, as the alert notes these devices are rarely updated and are typically not protected by additional layers of security. Some of our most powerful assets are the least protected. Just imagine how many times this applies to other critical systems that are part of enterprise infrastructure, too.
Security Through the Looking Glass
Things get even trickier when we think about the defender’s perspective. The same switches, firewalls, and IPS appliances that are under attack are the very assets we would use to find and block malicious traffic. The alert noted that in addition to manipulating traffic, the attackers would modify the underlying firmware and OS of the compromised network devices. This not only provides the attacker with long-term persistence in the network, but it also gives the attacker control of the device well below what a user would see in the UI. This makes it critical to have independent controls that can verify the integrity of our infrastructure and detect modified firmware or implants in the device.
Strategy vs Tactics
It is also critical that we look beyond the details of this specific event to see the bigger picture. Much of the alert rightly focused on countermeasures for the immediate threat (disabling/blocking insecure protocols, updating default passwords, etc). However, there are many avenues for critical infrastructure to be compromised beyond large-scale scanning for exposed services. Servers and network devices have repeatedly been compromised in the supply chain before they are even delivered to a victim network. In fact, Gartner recently noted the lack of trust in the technology supply chain as one of top Security and Risk Management trends for 2018. Administrators are routinely targeted and compromised as part of persistent attacks, which could then allow the attacker to access critical network devices and servers. Malware can even allow similar attacks to take place without physical access by exploiting vulnerable firmware. There are many paths to the same goal.
The overriding point is that organizations need reliable, independent methods to know if and when their critical infrastructure is compromised, and how to stop active attacks. That is exactly what we do at Eclypsium, and we look forward to showing you how.