When Networking and Security Gear Is Used for Surveillance
It’s not easy to stop attacks when your best defenses are used against you. This is a hard lesson that many organizations learned on August 13th, when a shifty group calling themselves the “Shadow Brokers” released exploit tools targeting firewalls from Cisco, Juniper, and Fortinet. Now the security system you trust to protect the “front door” to your network can become the mechanism to let attackers inside.
The Shadow Brokers announced that they were auctioning off cyber weapons from the Equation Group (a threat actor purportedly linked to the NSA). To prove that they had the goods, the Shadow Brokers released several samples of attack tools targeting firewalls.
Yoni Allon, Director of Security Research, analyzed the tools and described his findings in a Dark Reading article. In the article, he explained why attackers target networking and security equipment and what organizations should do to protect their networks from similar threats.
Some security professionals might assume that only high-profile government agencies need to worry about advanced attacks targeting networking and security devices. They are wrong. One of our customers, a North American critical infrastructure company learned firsthand that attackers do, in fact, target networking gear when they detected a remote user trying to manage a router in their network.
The company had deployed the LightCyber Magna Behavioral Attack Detection Platform before the incident occurred. Magna detected the malicious activity and generated alerts informing the company’s security team of command and control activity and new administrative behavior from the user’s PC to routers on the network. After more investigation, the company learned that the user’s machine had been infected with a Trojan. Coincidentally (or perhaps not…), a few days after the intrusion was detected, a vulnerability in Cisco IOS routers was published.
The exploits revealed in the recent Equation Group Cyber Weapons leak should not come as a huge surprise. Some of the exploits in the leak, such as BANANAGLEE, were mentioned in documents like the NSA ANT Catalog, a 50-page document listing a wide variety of cyber surveillance tools that was created in 2008. The exploits that the Shadow Brokers revealed this month—while dangerous—represent a small fraction of the any major threat actor’s full gamut of cyber weapons. The reality is that there are many doors open to an attacker to get into any given network.
If organizations want to find and stop attackers on their network, they need to detect anomalous activity originating not only from their computers and servers, but also from their networking equipment, their firewalls, IoT devices, unmanaged mobile phones, and just about every other connected device on their network. A network-centric detection model based on behavioral profiling is the only way to guarantee this broad visibility.