A Russia-sponsored cyberattack campaign is focusing on end-of-life Cisco devices that stay unpatched towards CVE-2018-0171, a safety flaw found seven years in the past. This flaw was exploited by Chinese threat actor Salt Typhoon earlier this year and permits malicious actors to execute arbitrary code on focused gadgets or enact denial-of-service circumstances.
On this occasion, the Russia-sponsored group liable for the assaults is called as Static Tundra, Energetic Bear or Berserk Bear. The group has been energetic since 2015 and predominantly targets organizations in telecommunications, manufacturing, and better schooling throughout the US, Ukraine, and different nations.
Beneath, safety leaders focus on this marketing campaign.
Safety Leaders Weigh In
Ernest Lefner, Chief Product Officer at Gluware:
The Static Tundra marketing campaign highlights a easy fact: the best protection towards state-sponsored exploitation of growing older, unpatched devices shouldn’t be a single patch or product — it’s disciplined lifecycle and vulnerability administration. Organizations that proceed to run end-of-life infrastructure are leaving doorways open that refined adversaries are wanting to stroll via.
Automation is the important thing to closing these doorways at scale. Enterprise succesful automation permits IT groups to repeatedly assess machine posture, automate patch deployment, and implement lifecycle insurance policies throughout complicated, multi-vendor networks. As an alternative of ready for the subsequent CVE to make headlines, automated lifecycle administration ensures that unsupported gadgets are flagged and phased out earlier than they turn into liabilities, and vulnerabilities are remediated as a part of a repeatable, policy-driven course of.
For CIOs, the takeaway is evident: operationalizing lifecycle and vulnerability administration via automation not solely reduces assault floor but additionally shifts safety posture from reactive to proactive. It’s a strategic funding that retains the enterprise resilient, compliant, and out of hurt’s means.
Trey Ford, Chief Technique and Belief Officer at Bugcrowd:
Finish of life gadgets are sometimes faraway from core statement, particularly when tied to sunsetting functions and companies.
Vulnerability administration SLAs should apply to the corporate’s total assault floor — this FBI Alert underscores the significance of each sustaining a present stock (figuring out what’s obtainable to attackers), and the way vital continued vigilance of patching forex and configuration administration stays till the gadgets is taken offline.
The impacted CVE (CVE-2018-0171) is a excessive scoring RCE (distant code execution) exploit — whereas some environments (like manufacturing, telecommunications, and different vital infrastructure) could face manufacturing delays for deliberate patching cycles — seeing a seven yr delay for this sort of vulnerability to be extensively exploited is a bit shocking.
Mayuresh Dani, Safety Analysis Supervisor, at Qualys Menace Analysis Unit:
The Static Tundra marketing campaign, attributed to Russian Federal Safety Service (FSB) Heart 16 (also referred to as Berserk Bear, Dragonfly and Energetic Bear), has been systematically exploiting CVE-2018-0171. It’s a seven-year-old critical vulnerability in Cisco’s Good Set up (SMI) characteristic that permits unauthenticated, distant risk actors to execute arbitrary code on affected gadgets.
This marketing campaign cements current risk analysis that 40% of vulnerabilities exploited by risk actors in 2024 had been from 2020 or earlier, with 10% courting again to 2016 or earlier. Some exploited vulnerabilities even date again to the Nineteen Nineties, demonstrating the extraordinary longevity of unpatched safety flaws! Since these gadgets are out of help, they not obtain safety updates, leaving newly found vulnerabilities completely unaddressed. This creates persistent assault vectors that risk actors can exploit indefinitely. Furthermore, legacy programs are sometimes tougher to observe and safe, making it troublesome to stock and detect compromises.
Clients ought to:
- Preserve inventories of community infrastructure, together with identification of gadgets approaching or at end-of-life standing. Create a substitute roadmap for gadgets approaching or at EOL.
- Prioritize vulnerabilities affecting internet-facing gadgets or vital infrastructure gadgets.
- Periodically overview vital settings and disable distant administration fully.
- Disable the usage of legacy SMI protocols and different legacy, unsecure protocols equivalent to SNMP v1/v2.
