Block HTTP to Those Cisco Routers, Boys!

Started by deanwebb, September 15, 2015, 10:07:26 AM

Previous topic - Next topic

deanwebb

https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665

:problem?:

Summary: modified IOS on Cisco routers leaves a backdoor open to HTTP. So... make sure that you block HTTP access to your routers!

:professorcat:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#1
Quote from: deanwebb on September 15, 2015, 10:07:26 AM
https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665

:problem?:

Summary: modified IOS on Cisco routers leaves a backdoor open to HTTP. So... make sure that you block HTTP access to your routers!

:professorcat:

Who would run an IOS image that they found on a site other than Cisco.com.....in production....using EOS gear....on the network perimiter <some small company without SmartNet contract, that needed to upgrade for some reason>?
:professorcat:

My Moral Fibers have been cut.

deanwebb

PROTIP: Don't let just anyone have ROMMON access to your routers!

A side thought: I wonder how many hacked networks are actually GNS3 setups that are connected to the internet?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

that1guy15

Quote from: ristau5741 on September 15, 2015, 11:00:22 AM
Quote from: deanwebb on September 15, 2015, 10:07:26 AM
https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665

:problem?:

Summary: modified IOS on Cisco routers leaves a backdoor open to HTTP. So... make sure that you block HTTP access to your routers!

:professorcat:

Who would run an IOS image that they found on a site other than Cisco.com.....in production....using EOS gear....on the network perimiter <some small company without SmartNet contract, that needed to upgrade for some reason>?
If I had a nickle for everytime a front-line or Jr used anything other than Cisco documentation to do something on a device I would be a rich rich man.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

Otanx

Quote from: ristau5741 on September 15, 2015, 11:00:22 AM
Who would run an IOS image that they found on a site other than Cisco.com.....in production....using EOS gear....on the network perimiter <some small company without SmartNet contract, that needed to upgrade for some reason>?

It isn't the admin that is loading the image. Attackers are getting the login information, and then loading the firmware themselves. This is mainly a weak password/password reuse issue.

-Otanx

Dieselboy

There's a website someone showed me. You put in some Cisco HTTP response keyword and the website returns results, basically from all the routers scanned where it's managed to get HTTP access. Then you can http to them, and execute commands through the unsecured http via the browser and open SSH / Telnet etc. We were messing around accessing AT&T's internet routers a very long time ago. I was thinking about setting up tunnels between different vendors and enable a routing protocol but never did. It's very easy to access kit on the internet if it's been set up with neglect. Why anyone would leave HTTP open to any internet host is beyond me. I do leave HTTP enabled, but it's secured either through specific source networks, or if that cannot be done (eg my home Cisco router) then it's only accessible via VPN.
I've even seen routers deployed which have not been configured to block traffic to them. A lot of people don't seem to understand that if for example an internet router on the edge of a network is just routing from you to the internet and back again, then the WAN side should have a blocking rule from any to itself in most cases. There may be a cause to allow SSH to itself from specific sources. Similarly, on the inside I'm still only allowing legit traffic to the router for management purposes.

SimonV

Quote from: Dieselboy on September 17, 2015, 08:33:44 PM
There's a website someone showed me. You put in some Cisco HTTP response keyword and the website returns results, basically from all the routers scanned where it's managed to get HTTP access. Then you can http to them, and execute commands through the unsecured http via the browser and open SSH / Telnet etc. We were messing around accessing AT&T's internet routers a very long time ago. I was thinking about setting up tunnels between different vendors and enable a routing protocol but never did. It's very easy to access kit on the internet if it's been set up with neglect. Why anyone would leave HTTP open to any internet host is beyond me. I do leave HTTP enabled, but it's secured either through specific source networks, or if that cannot be done (eg my home Cisco router) then it's only accessible via VPN.
I've even seen routers deployed which have not been configured to block traffic to them. A lot of people don't seem to understand that if for example an internet router on the edge of a network is just routing from you to the internet and back again, then the WAN side should have a blocking rule from any to itself in most cases. There may be a cause to allow SSH to itself from specific sources. Similarly, on the inside I'm still only allowing legit traffic to the router for management purposes.

Was it this site? http://www.shodanhq.com