Own the Router, Own the Traffic
Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization.
...
Legitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers.
Cyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them to
- extract additional configuration information,
- export the OS image file to an externally located cyber actor-controlled FTP server,
- modify device configurations,
- create Generic Routing Encapsulation (GRE) tunnels, or
- mirror or redirect network traffic through other network infrastructure they control.
At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim.
...
SMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.
On November 18, 2016, a Smart Install Exploitation Tool (SIET) was posted to the Internet. The SIET takes advantage of the unauthenticated SMI design. Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence.