The US government warns that Russia state hackers are coming after your router
The US government warns that Russia state hackers are coming after your router
美国政府警告:俄罗斯国家黑客正盯上你的路由器
The federal government is warning users of home and small office routers to secure their devices as Russia state hackers continue to mass-compromise them for use in obscuring nefarious actions against sensitive organizations in the public and private sectors. 美国联邦政府警告家庭和小型办公室路由器的用户务必加强设备安全,因为俄罗斯国家黑客正持续大规模入侵这些设备,利用它们来掩盖针对公共和私营部门敏感机构的非法活动。
Both the Russian and Chinese governments have been compromising routers for years, sometimes in prolonged tugs-of-war to wrest control of devices the other has already commandeered. The US government has occasionally issued covert commands and taken other steps to disinfect routers. Google and other companies have also worked to disrupt the massive botnets that control compromised routers in lockstep. The actions to date are little more than whack-a-mole exercises as the operators simply replace their botnets with new ones. 多年来,俄罗斯和中国政府一直在入侵路由器,有时甚至会为了争夺对方已经控制的设备而展开长期的拉锯战。美国政府偶尔会发布秘密指令并采取其他措施来清除路由器中的恶意程序。谷歌和其他公司也一直在努力破坏那些协同控制受感染路由器的庞大僵尸网络。然而,迄今为止的这些行动无异于“打地鼠”游戏,因为黑客只需简单地用新的僵尸网络替换旧的即可。
Proxy networks: The go-to tool
代理网络:黑客的首选工具
“Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks,” the Cybersecurity and Infrastructure Security Agency said Monday. The hacking groups are tracked under various names, including Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. The advisory was co-issued by governments from around the world, including Australia, Denmark, New Zealand, and the UK. 美国网络安全与基础设施安全局(CISA)周一表示:“俄罗斯联邦安全局(FSB)第16中心的网络攻击者正持续利用全球范围内配置不当且存在漏洞的网络设备,伺机入侵多个关键基础设施部门的网络。”这些黑客组织有多个追踪代号,包括“狂暴熊”(Berserk Bear)、“活力熊”(Energetic Bear)、“蹲伏雪人”(Crouching Yeti)、“蜻蜓”(Dragonfly)、“幽灵暴雪”(Ghost Blizzard)和“静态苔原”(Static Tundra)。该预警由包括澳大利亚、丹麦、新西兰和英国在内的多国政府联合发布。
The primary means of compromise the agency warned about was hackers scanning IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default authentication credentials. These scans are run by the very sorts of router botnets the actors are trying to enroll the targeted device in. By sending malicious traffic from spoofed addresses, the hackers can use the SNMP agent on poorly configured routers to run malware. SNMP allows users to collect and organize information about managed networking devices or to modify that information to change device behavior. 该机构警告称,主要的入侵手段是黑客扫描那些启用了简单网络管理协议(SNMP)且接受通用或默认身份验证凭据的 IP 地址段。这些扫描正是由黑客试图将目标设备纳入其中的那种路由器僵尸网络所执行的。通过从伪造地址发送恶意流量,黑客可以利用配置不当路由器上的 SNMP 代理来运行恶意软件。SNMP 允许用户收集和整理有关受管网络设备的信息,或修改这些信息以改变设备行为。
With control of a device, the hackers then use it as an exit node when probing or attacking targets in the communications, defense, energy, financial services, and government sectors. By funneling the malicious traffic through a benign-appearing device on a trustworthy IP address, the attackers are able to lower the chances of getting blocked by firewalls and other security defenses. Monday’s advisory made no mention of identical operations carried out in recent years by China. 一旦控制了设备,黑客就会将其用作出口节点,以探测或攻击通信、国防、能源、金融服务和政府部门的目标。通过将恶意流量引导至一个拥有可信 IP 地址且看似正常的设备,攻击者能够降低被防火墙和其他安全防御系统拦截的几率。周一的预警并未提及中国近年来开展的类似行动。
So-called residential proxies are also a go-to tool used by financially motivated criminal hackers to obscure their true IP address. In many cases, these sorts of proxies are made up of millions of streaming devices that are sold with preloaded malware. 所谓的“住宅代理”也是受经济利益驱动的犯罪黑客掩盖其真实 IP 地址的首选工具。在许多情况下,这类代理网络由数百万台预装了恶意软件的流媒体设备组成。
The agency urged router users to lock down their devices. Chief among the suggestions is to ensure SNMP versions 1 and 2 are disabled, because they don’t encrypt passwords or follow other common-sense security practices. Instead, only SNMP version 3 should be used. A better option is to disable SNMP altogether unless it’s needed for a specific use. Other safeguards include disabling Cisco Smart Install on all devices, using strong passwords, updating firmware regularly, and avoiding the use of other networking protocols. 该机构敦促路由器用户加强设备防护。建议的核心是确保禁用 SNMP v1 和 v2 版本,因为它们不加密密码,也不符合其他基本的安全规范。建议仅使用 SNMP v3 版本。更好的选择是完全禁用 SNMP,除非有特定用途。其他安全措施包括在所有设备上禁用 Cisco Smart Install、使用强密码、定期更新固件以及避免使用其他不必要的网络协议。