- The NSA, FBI, CISA and 15 allied agencies warn that Russian FSB Center 16 is exploiting weak/default credentials and old Cisco vulnerabilities to compromise critical infrastructure devices.
- The advisory highlights CVE‑2018‑0171 (Smart Install DoS/RCE) and CVE‑2008‑412813 (CSRF in Cisco IOS 12.4) as examples of vulnerabilities still being exploited.
- TTP overlaps with Chinese groups, but attribution points to Russian players like Berserk Bear and Energetic Bear; the full IoC and mitigation measures have been published in the joint advisory report
Russian state-sponsored threat actors are continuously targeting faulty and misconfigured network devices belonging to critical infrastructure providers around the world, warns a joint security advisory issued by the U.S. National Security Agency (NSA) and more than a dozen other agencies.
According to the advisory, hackers working for Center 16 of the Russian Federal Security Service (FSB) are constantly searching for routers and other Internet-connected devices accessible with “common or default” login credentials.
Once found, these devices are prompted to copy the device configuration files and then exfiltrate them via the Trivial File Transfer Protocol to servers under their control.
Berserk Bear and Salt Typhoon
In cases where default or weak credentials do not work, malicious actors also attempt to exploit the vulnerabilities. In the advisory, the agencies specifically mention two vulnerabilities in Cisco devices: CVE-2018-0171 and CVE-2008-412813. The first is an eight-year-old bug in the Smart Install functionality of Cisco IOS and Cisco IOS XE Software that allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.
The latter is an even older (18 year old) set of multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP administration component of Cisco IOS 12.4 on the 871 Integrated Services Router that allows remote attackers to execute arbitrary commands.
Although many of these tactics, techniques, and procedures (TTPs) overlap with those of the Chinese Salt Typhoon hackers, the agencies suggested that they focus primarily on the Russian hackers known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, or Static Tundra.
The joint advisory is co-authored by the NSA, FBI and CISA, along with 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France and Italy.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




