Three U.S. government agencies urged operators to patch their systems and take several other steps to boost security, warning state-sponsored attacks from China have been targeting routers within their networks since 2020.
In a joint advisory, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) said attackers have spent the last few years sniffing out and exploiting vulnerabilities in network devices such as small and home office routers and network attached storage devices. They listed gear from Cisco, Citrix, Fortinet and Netgear among the most commonly targeted devices.
The agencies also highlighted attacks on service provider infrastructure, noting hackers have been using RouterSploit and RouterScan to home in on known vulnerabilities that allow them to gain a foothold into a “telecommunications organization or network service provider” network. This is done via Remote Authentication Dial-In User Service (RADIUS) servers, which allow the attackers to gain access to key credentials. Malicious scripts have targeted Cisco and Juniper routers, they said.
“Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure,” the warning reads.
According to the notice, Cisco and Netgear have already released software patches for most of the known vulnerabilities.
In addition to implementing available patches and system updates, the agencies urged operators to take several steps to mitigate potential attacks. These include immediately removing or isolating suspected compromised devices; segmenting the network to limit or block lateral movement; disabling unused or unnecessary network services, ports, protocols and devices; and enforcing multifactor authentication for all users, including those on VPN connections.
A Cisco representative told Fierce it "is aware of the CISA alert and also recommends the best practices and mitigations provided. For the CVEs associated with Cisco products, Cisco has released free software updates to address the described vulnerabilities and published security advisories to inform our customers and explain the remediation steps.” Juniper did not immediately respond to a request for comment.
The full warning can be found here.
This story has been updated with a comment from Cisco.