The sophisticated threat actor, linked to Russia’s Federal Security Service (FSB) Center 16 unit, has been targeting unpatched and end-of-life network devices since 2015, with operations significantly escalating following the Russia-Ukraine conflict.
The campaign centers around CVE-2018-0171, a previously disclosed vulnerability in Cisco IOS software’s Smart Install feature that allows unauthenticated remote attackers to execute arbitrary code or trigger denial-of-service conditions.
Despite Cisco issuing patches in 2018, Static Tundra continues to find success exploiting organizations that have failed to apply security updates or are running legacy devices beyond their support lifecycle.
Static Tundra’s victims span telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe.
The group demonstrates remarkable persistence, maintaining access to compromised environments for multiple years without detection.
Cisco Talos analysts identified the threat cluster through ongoing analysis of sophisticated network device compromises, noting the group’s advanced knowledge of network infrastructure and deployment of bespoke exploitation tools.
Static Tundra employs a methodical approach to configuration theft, beginning with automated exploitation of the Smart Install vulnerability against predetermined target lists likely gathered from public scanning services like Shodan or Censys.
Upon successful exploitation, the attackers immediately modify the running configuration to enable local Trivial File Transfer Protocol (TFTP) services using the command:-
tftp-server nvram:startup-configThis command creates a temporary TFTP server that allows Static Tundra to establish a secondary connection and retrieve the device’s startup configuration file.
The extracted configurations often contain sensitive credentials and Simple Network Management Protocol (SNMP) community strings that facilitate deeper network penetration.
The threat actors leverage these compromised credentials to pivot laterally through network environments, using SNMP protocols with spoofed source addresses to bypass access control lists.
Static Tundra has been observed creating privileged local user accounts and establishing Generic Routing Encapsulation tunnels to redirect and capture network traffic of intelligence value, demonstrating their focus on long-term espionage rather than immediate financial gain.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Russian Hackers Exploiting 7-Year-Old Cisco Vulnerability to Collect Configs from Industrial Systems appeared first on Cyber Security News.
A crowd of protesters boos House Majority Leader William Lamberth during a Wednesday committee meeting…
Senate Minority Leader Chuck Schumer, D-N.Y., speaks with reporters during a press conference in the…
Sen. Bo Watson, in bow tie, is expected to be a leading contender to succeed…
Crisis pregnancy centers have been the beneficiary of at least a half-billion dollars since the…
The Headphone A keep the shape and style of Nothing’s over-ear design, but with an…
Today Nothing has revealed the 4A and 4A Pro, its latest midrange phones. The two…
This website uses cookies.