Cybersecurity and Cisco Attack
The Cisco name is known across the globe and is highly regarded. A massive amount of engineering has been applied to the product line, and in this case their routers.
Targets
There were security researchers who detected the Cisco RV 320 and RV 325 WAN routers being scanned and the vulnerabilities attempted to be exploited. Specifically, this was aimed at the RV 320 with versions 1.4.2.15 through 1.4.2.19, and RV 325 versions 1.4.2.15 through 1.4.2.17. These hardware instances are used commonly with internet service providers (ISP) and large enterprises.
Attacks
The attacks started in earnest in January 2019.This just happened to coincide with researcher David Davidson releasing a proof-of-concept exploit for the targeted routers.
Vulnerabilities
The vulnerabilities driving these exploits were CVE-2019-1653 and CVE-2019-1652. The vulnerability cited in -1653 allows a remote attacker to get sensitive device configuration details without requiring a password. This allows the attacker to obtain hashed credentials. The vulnerability noted in -1652 allows the remote attacker to inject and run admin commands on the device without a password and control the targeted device.
Earlier, 6,247 RV 320 and 3,410 RV 325 routers were vulnerable. These were in 122 countries and 1,619 distinct ISPs. These were both reported to Cisco by RedTeam Pentesting from Germany.
Remediation
After the notification, naturally the Cisco engineers worked on this. The end result was that patches were created and released in January 2019. This may have been fine, however, the attackers were using Davidson's PoC attack and adding other commands. This allowed the attackers to take full control over the noted Cisco devices. To alleviate the issue, users were recommended to upgrade to the firmware version 1.4.2.20. The users were also recommended to change their passwords. It was pertinent for the users to do this, or they may have an unwelcome surprise.
Resources
0x27. (2019, January 24). CVE-2019-1652/CVE-2019-165B exploits for dumping cisco rv320 configurations & debugging data and remote root exploit. Retrieved from https://githumb.com/0x27/CiscoRV320Dump
Cimpanu, C. (2019, January 27). Hackers are going after cisco RV320/RV325 routers using a new exploit. Retrieved from https://www.zdnet.com/article/hackers-are-going-after-cisco-rv320rv325-routers-using-a-new-exploit
Cisco. (2019, January 25). Cisco small business rv320 and rv 325 routers command injection vulnerability. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Kumar, M. (2019, January 28). New exploit threatens over 9,000 hackable cisco rv320/rv325 routers worldwide. Retrieved from https://thehackernews.com/2019/01/hacking-cisco-routers.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.