https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665
:problem?:
Summary: modified IOS on Cisco routers leaves a backdoor open to HTTP. So... make sure that you block HTTP access to your routers!
:professorcat:
Quote from: deanwebb on September 15, 2015, 10:07:26 AM
https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665
:problem?:
Summary: modified IOS on Cisco routers leaves a backdoor open to HTTP. So... make sure that you block HTTP access to your routers!
:professorcat:
Who would run an IOS image that they found on a site other than Cisco.com.....in production....using EOS gear....on the network perimiter <some small company without SmartNet contract, that needed to upgrade for some reason>?
PROTIP: Don't let just anyone have ROMMON access to your routers!
A side thought: I wonder how many hacked networks are actually GNS3 setups that are connected to the internet?
Quote from: ristau5741 on September 15, 2015, 11:00:22 AM
Quote from: deanwebb on September 15, 2015, 10:07:26 AM
https://threatpost.com/attackers-replacing-firmware-on-cisco-routers/114665
:problem?:
Summary: modified IOS on Cisco routers leaves a backdoor open to HTTP. So... make sure that you block HTTP access to your routers!
:professorcat:
Who would run an IOS image that they found on a site other than Cisco.com.....in production....using EOS gear....on the network perimiter <some small company without SmartNet contract, that needed to upgrade for some reason>?
If I had a nickle for everytime a front-line or Jr used anything other than Cisco documentation to do something on a device I would be a rich rich man.
Quote from: ristau5741 on September 15, 2015, 11:00:22 AM
Who would run an IOS image that they found on a site other than Cisco.com.....in production....using EOS gear....on the network perimiter <some small company without SmartNet contract, that needed to upgrade for some reason>?
It isn't the admin that is loading the image. Attackers are getting the login information, and then loading the firmware themselves. This is mainly a weak password/password reuse issue.
-Otanx
There's a website someone showed me. You put in some Cisco HTTP response keyword and the website returns results, basically from all the routers scanned where it's managed to get HTTP access. Then you can http to them, and execute commands through the unsecured http via the browser and open SSH / Telnet etc. We were messing around accessing AT&T's internet routers a very long time ago. I was thinking about setting up tunnels between different vendors and enable a routing protocol but never did. It's very easy to access kit on the internet if it's been set up with neglect. Why anyone would leave HTTP open to any internet host is beyond me. I do leave HTTP enabled, but it's secured either through specific source networks, or if that cannot be done (eg my home Cisco router) then it's only accessible via VPN.
I've even seen routers deployed which have not been configured to block traffic to them. A lot of people don't seem to understand that if for example an internet router on the edge of a network is just routing from you to the internet and back again, then the WAN side should have a blocking rule from any to itself in most cases. There may be a cause to allow SSH to itself from specific sources. Similarly, on the inside I'm still only allowing legit traffic to the router for management purposes.
Quote from: Dieselboy on September 17, 2015, 08:33:44 PM
There's a website someone showed me. You put in some Cisco HTTP response keyword and the website returns results, basically from all the routers scanned where it's managed to get HTTP access. Then you can http to them, and execute commands through the unsecured http via the browser and open SSH / Telnet etc. We were messing around accessing AT&T's internet routers a very long time ago. I was thinking about setting up tunnels between different vendors and enable a routing protocol but never did. It's very easy to access kit on the internet if it's been set up with neglect. Why anyone would leave HTTP open to any internet host is beyond me. I do leave HTTP enabled, but it's secured either through specific source networks, or if that cannot be done (eg my home Cisco router) then it's only accessible via VPN.
I've even seen routers deployed which have not been configured to block traffic to them. A lot of people don't seem to understand that if for example an internet router on the edge of a network is just routing from you to the internet and back again, then the WAN side should have a blocking rule from any to itself in most cases. There may be a cause to allow SSH to itself from specific sources. Similarly, on the inside I'm still only allowing legit traffic to the router for management purposes.
Was it this site? http://www.shodanhq.com