Request A Demo
  • Blog Post

Attacker: Grizzly Steppe

Russian state-sponsored cyber actors appear to be performing worldwide cyber exploitation of enterprise-class and SOHO/residential network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices). This campaign, particularly the choice of protocols and devices appears to have some overlap with earlier reports detailing the vulnerability CVE-2018-0171, as well as, reports detailing cyber-attacks on network infrastructure utilizing vulnerabilities in smart install (SMI).

This attack was an attempt to exploit vulnerabilities in routers and switches which was intended to advance spying, intellectual property theft and other malicious activity. It is feared that the exploited routers could be used to launch future offensive cyber operations.

Do note that Russian cyber actors do not actually need to leverage zero-day vulnerabilities or install malware to exploit the devices. They are taking advantage of the following older, existing vulnerabilities:

  • Devices with legacy unencrypted protocols or unauthenticated services
  • Devices that are insufficiently hardened before installation
  • Devices that are no longer supported with security patches by manufacturers or vendors such as end-of-life devices

Affected Systems:

  • Generic Routing Encapsulation Enabled Devices
  • CISCO Smart Install Enabled Devices
  • Simple Network Management Protocol Enabled Devices

Proficio Threat Intelligence Recommendations:

  • Regularly inspect firewall policies that have Cisco Smart Install (4786 TCP) open to the internet and make sure they are set to only allow the IP ranges that are required for the connection
  • Regularly inspect firewall policies that have telnet open to the internet and close the connection
  • Mitigate the risks of compromised credentials by utilizing multi-factor authentication and strong password policies for all accounts, with special emphasis on any external-facing interfaces and high-risk environments
  • Restrict internet access to the management interface of any network device
  • Configure network devices before installing onto a network exposed to the internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation

General Information – Click Here

Recent Blog Posts

Stay Ahead of Evolving Threats

Signup for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

REQUEST A DEMO

Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

North America

+1.800.779.5042
info@proficio.com

APAC

+65.6996.9185

EMEA

+34.937.370.358

Services

ProSOC MDR
Risk Based Vulnerability Management
Cyber Exposure Monitoring
Active Defense Response
View All Services

Partners

Partner Login
Channel Partners
Technology Partners
MSP Partners
Become A Partner

Stay Ahead of Evolving Threats

Signup for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team


By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

Solutions

24/7 Security Operations
Accelerate Your SIEM Deployment
Identify Targeted Attacks
Mitigate Threats to Prevent Breaches
Improve MTTD & Reduce False Positives
Protect Your Identities
Protect Your Endpoints

 

Protect Your Cloud 
Protect Your Network
Meet Cyber Insurance Requirements
Enhance Reporting & Business Intelligence
Compliance Assurance

Resources

Resource Center
Guides
Case Studies
Reports 
Datasheets
Videos
Webinars
White Paper

Company

About Us
Leadership
Awards
Blog
Press Releases
News
Events
Careers
Contact Us

© 2024 Proficio. All Rights Reserved. Privacy Notice & Cookie Policy | Terms of Use