Cisco\u2019s Talos security intelligence group issued a warning today about an uptick in highly sophisticated attacks on network infrastructure including routers and firewalls.\nThe Cisco warning piggybacks a similar joint warning issued today from The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) that noted an uptick in threats in part utilizing an exploit that first came to light in 2017.\u00a0 That exploit targeted an SNMP vulnerability in Cisco routers that the vendor patched in 2017.\u00a0\nBut as Cisco and the government agencies noted, similar exploits are being aimed at a broad set of multivendor networking gear, potentially including Juniper, Extreme, Allied-Telesis, HP and others.\n\u201cThe warning involves not just Cisco equipment, but any networking equipment that sits at the perimeter or that might have access to traffic that a significantly capable and well-tooled adversary might have an interest in intercepting and modifying,\u201d said JJ Cummings, Cisco Talos Threat Intelligence & Interdiction team lead. Cummings leads the Talos team tasked with nation-state, critical infrastructure, law enforcement, and intelligence-based concerns.\nIn a blog noting the increase in threats, Cisco Talos wrote: \u201cWe have observed traffic manipulation, traffic copying, hidden configurations, router malware, infrastructure reconnaissance, and active weakening of defenses by adversaries operating on networking equipment. Given the variety of activities we have seen adversaries engage in, they have shown a very high level of comfort and expertise working within the confines of compromised networking equipment.\u201d\nNational intelligence agencies and state-sponsored actors across the globe have attacked network infrastructure as a primary target, Cisco stated. \u201cRoute\/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility.\u201d\n\u201cThe idea here is to get the messaging out that network operations teams need to maybe start to approach things slightly differently or at least be more mindful from a security perspective, because there are significantly capable adversaries that are targeting their infrastructure that may or may not, in many of the cases, been significantly tooled or monitored, or updated,\u201d Cummings said.\u00a0\n\u201cWhat we do see primarily is threats targeting those devices and with these types of attacks, somewhat aging\u2014and certainly outdated from a software perspective\u2014devices,\u201d Cummings said. \u201cWhat we what we see in almost every instance that I can think of, is the adversary also having some level of pre-existing access to one degree or another to that device.\u201d\nCisco noted a number of specific growing threats including:\n\nThe creation of Generic Router Encapsulation (GRE) tunnels and the hijacking of DNS traffic, giving the actor the ability to observe and control DNS resolution.\nModifying memory to reintroduce vulnerabilities that had been patched so the actor has a secondary path to access.\nModification of configurations to move the compromised device into a state that lets the actor execute additional exploits.\nInstallation of malicious software into an infrastructure device that provides additional capabilities to the actor.\nThe masking of certain configurations so that they can\u2019t be shown by normal commands.\n\nRecommended precautions include updating software.\nAs for what can be done to protect networking infrastructure, the biggest and perhaps most obvious step is keeping software up-to-date, Cummings said. \u201cIf you fix the vulnerabilities, and you\u2019re running current software, it\u2019s not going to certainly, completely eliminate your risk. But if I get rid of 10 CVEs, that dramatically reduces my risk footprint,\u201d Cummings said.\u00a0\nHe recommends increasing visibility into device behavior, \u201cbecause with without visibility, I can\u2019t necessarily catch the bad guy doing the bad guy things. I need to be able to see and understand any change or access that happens to that fully updated device." Similarly, strictly locking down access to those devices makes it much harder for attackers to get to them, he said.\nThe blog also suggests:\n\nSelect complex passwords and community strings; avoid default credentials.\nUse multi-factor authentication.\nEncrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF)\nLock down and aggressively monitor credential systems.\nDo not run end-of-life hardware and software.