- NSA, FBI, CISA and 15 allied agencies warn that Russia’s FSB Center 16 is exploiting weak or default credentials and old Cisco flaws to compromise critical infrastructure devices
- The advisory highlights CVE-2018-0171 (Smart Install DoS/RCE) and CVE-2008-412813 (CSRF in Cisco IOS 12.4) as examples of vulnerabilities that are still being abused
- TTPs overlap with Chinese groups, but attribution points to Russian actors like Berserk Bear and Energetic Bear; The full IoCs and mitigations were published in the joint advisory.
Russian state-sponsored threat actors continually attack broken and misconfigured network devices belonging to critical infrastructure providers around the world, warns a joint security advisory published by the US National Security Agency (NSA) and more than a dozen other agencies.
According to the notice, hackers working for Center 16 of Russia’s Federal Security Service (FSB) are constantly searching for routers and other Internet-connected devices that can be accessed with “common or default” login credentials.
Once found, these devices are instructed to copy the device’s configuration files and then exfiltrate them via Trivial File Transfer Protocol to servers under their control.
Mad Bear and Salt Typhoon
In cases where weak or default credentials do not work, threat actors also attempt to exploit the vulnerabilities. In the advisory, the agencies specifically mentioned two flaws in Cisco devices: CVE-2018-0171 and CVE-2008-412813. The first is an eight-year-old bug in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software that allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.
The latter is an even older (18 years) set of multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP management component in Cisco IOS 12.4 on the Integrated Services Router 871 that allows remote attackers to execute arbitrary commands.
Although many of these tactics, techniques and procedures (TTP) overlap with the Chinese Salt Typhoon hackers, the agencies suggested that they are primarily focusing on the Russian hackers known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard or Static Tundra.
The joint advisory is co-authored by the NSA, FBI and CISA, as well as 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France and Italy.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




