Cisco Talos: 3 post-compromise tactics that threaten your network infrastructure

The bad actors who are perpetrating advanced persistent threat (APT) attacks aren’t just looking to access your network. They want to sneak in and hang around to collect valuable data or lay plans for future attacks.

Post-compromise threats are growing, and they’re aimed largely at aging network infrastructure and edge devices that are long past end-of-life stage and may have critical unpatched vulnerabilities, according to Nick Biasini, head of outreach at Cisco’s Talos security research arm. “We do see these threats across the board. But the older legacy components have more avenues for access, especially if the devices are out of support and they haven’t been updated in three or four years,” Biasini said. 

For a long time, enterprises have taken a hands-off approach to edge devices, sort of a “don’t touch it, let it do what it does, and let it keep running” approach, Biasini said. “It was like a badge of honor to have an edge device that was out there running for two or three years. Now, that is a very, very big liability, and it’s something organizations really need to take care of,” Biasini said. 

“There’s going to be a lot of additional vulnerabilities and potential avenues for adversaries on those devices,” Biasini said, whereas with recently installed edge devices that have up-to-date firmware, the attack surface is going to be lower. “We do tend to see bad actors feasting on those older devices,” he said.

When older devices weren’t designed with security in mind, and when network infrastructure sits outside of security’s ecosystem, it makes it increasingly difficult to monitor network access attempts, according to Hazel Burton, a global cybersecurity product marketing manager at Cisco. “Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden, post-compromise activities once they have gained initial access to the network,” Burton wrote in an a blog outlining some of the attack scenarios. “The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals.”

Biasini said there are two main groups of bad actors that are targeting network infrastructure: state-sponsored attackers and criminal enterprises. “State-sponsored groups are interested in these devices primarily to gain a foothold for espionage purposes, with the goal to maintain access for the long term,” Biasini said. 

Criminal enterprises have a different goal; they typically access older edge devices to gain an initial foothold, and they’re going to quickly pivot inside the network and attempt to extort their victims. “Because from a ransomware and extortion cartel perspective, you’re not going to get a lot of leverage to ransom someone by sitting on an edge device. But if you can use that edge device to pivot into the network, and then launch a widescale, ransomware attack, it’s incredibly advantageous to them,” Biasini said. 

Cisco’s Talos identified three of the most common post-compromise tactics on network infrastructure:

1. Modifying firmware. “Talos has observed APTs modifying network device firmware on older devices to add certain pieces of functionality, which will allow them to gain a greater foothold on the network. This could be adding implants or modifying the way the device captures information,” Burton wrote.

“An example of this is the recent exploitation of Cisco IOS XE Software Web Management User Interface. One attack included the deployment of an implant we called ‘BadCandy’ which consisted of a configuration file (‘cisco_service.conf’). The configuration file defined the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters that allowed the actor to execute arbitrary commands at the system or IOS level.”

Performing configuration comparisons on firmware may help to highlight when it has been altered by an adversary, according to Burton.

2. Uploading customized/weaponized firmware. “If threat actors cannot modify the existing firmware, or they need additional levels of access that they don’t currently have, adversaries can upload customized or old firmware they know have working exploits against it (in effect, reverting to an older version of the firmware),” Burton wrote. “Once the weaponized firmware has been uploaded, they reboot the device, and then exploit the vulnerability that is now unpatched. This now provides the threat actor with a box that can be modified with additional functionality, to exfiltrate data, for example.”

“If you’re looking at your logs and it looks like someone has actually turned off logging, that is a huge red flag that your network has been infiltrated and potentially compromised.”

3. Bypassing or removing security processes. “Talos has also seen threat actors take measures to remove anything blocking their access to fulfil their goals. If for example they want to exfiltrate data, but there’s an access control list (ACL) that blocks the actor from being able to access the host, they may modify the ACL or remove it from the interface. Or they may install operating software that knows to not apply ACLs against certain actor IP addresses, regardless of the configuration,” Burton wrote. 

The BadCandy campaign is a good example of how an actor can remove certain security measures. “The adversary was able to create miniature servers (virtualized computers) inside of compromised systems which created a base of operations for them. This allowed the threat actors to intercept and redirect traffic, as well as add and disable user accounts. This meant that even if the organization were to reboot the device and erase the active memory, the adversary would still have persistent accounts – effectively a consistent back door,” Burton wrote.

Cisco Talos recommendations

One of the ways Cisco and others are fighting attacks on network infrastructure and other security challenges is through an industry group formed last summer, the Network Resilience Coalition. The Coalition includes AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon and VMware. The group rolled out a set of recommendations for vendors and users aimed at helping them combat the security threats posed by end-of-life network infrastructure.

As summarized in the Talos blog, some of the Coalition’s recommendations include:

• Align software development practices with the NIST Secure Software Development Framework (SSDF).

• Provide clear and concise details on product “end-of-life,” including specific date ranges and details on what support levels to expect for each.

• Separate critical security fixes for customers and not bundle those patches with new product features or functionality changes.

• Increase cybersecurity diligence (vulnerability scanning, configuration management) on older products that are outside of their support period.

• Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age, and ensure implementation of timely updates and patches.

Talos added to that list, saying organizations should deploy complex passwords and community strings, use SNMPv3 or subsequent versions, deploy multi-factor authorization where possible, and require encryption when configuring and monitoring devices.