On December 3rd, 2024, six cybersecurity organizations published Enhanced Visibility and Hardening Guidance for Communications Infrastructure, detailing simple paths threat actors use to penetrate networks. Most people I talk to say, “This is nothing new.” “We’ve heard it all before.” “These are all Best Common Practices (BCPs); everyone should have deployed them already!”
Do not ignore these recommendations. Threat actors use simple techniques and active vulnerabilities to get inside your organization!
The recommendations explain how threat actors—especially from China’s Typhoon teams—penetrate Telcos, Mobile Operators, ISPs, Cloud Operations, and Critical Infrastructure!
The harsh reality is that the Chinese threat actors are already in your network. It is their job to get into critical infrastructure all over the world. They are very good at their job. Your job is to make it harder to get into your network.
Why are simple BCPs so easy to Exploit?
For example, someone in your network deploys an ethernet switch. They get it working and plug devices into the switch. All those devices are working. But now you have:
- A switch with code that is most likely out of the box, old, and vulnerable.
- The auto-install tools to make it easy to configure the switch are still active and open.
- Simple Network Management Protocol (SNMP) is open to the world, and all the versions are active.
- Basic configurations are not set up. Telnet is active. FTP is active. TFTP is active. There is no VTY Access Control List (ACL) to limit who can access the device.
- None of the services are linked to the loopback address combined with no loopback configuration. That makes it hard to build ACLs to protect the switch.
- With no ACLs protecting the switch, there is no logging on who, what, and where is trying to connect to the box.
- There are also now changes to authentication when the switch is installed. There is a VERY high chance that any network device that does not protect SNMP and opens telnet, ftp, and tftp to the world did not change passwords nor deploy authentication, authorization, and accounting (AAA).
- What makes this worse is that the organization most likely does not have Infrastructure ACLs and Exploitable Port Filtering on the edge of its network.
The threat actors look for these invitations to hack. They are basic security mistakes that indicate that no one is taking care of the network security. These risks are easy to use, have minimal risk of detection, and slowly provide the threat actors access to their “target.” They have become the primary way multiple threat actors teams get into networks – and a core playbook for China’s Typhoon Teams. In 1996, these techniques were called “Side Doors” into your network. They became a standard playbook for getting into networks in 2010 – 2012.
How bad is this?
Here is a series of links using the Shadowserver Foundation public data using open SNMP, telnet, & TFTP. If Shadowserver’s daily scans see the risk, the threat actors know and can easily exploit the risk. Open SNMP, Telnet, and TFTP indicate that devices are not appropriately configured, managed, or monitored and perfect “side doors” to get a foothold in a network.
Note: When I lock down a network, the first thing I do for that client is to sign them up for Shadowsever’s daily reports, get the scan reports, and start locking down risk. It is a public benefit, free for my client, supported by organizations seeking a threat-free Internet.
The United States is the first example. Over 100 SNMP exposures create a fruitful target for threat actors to explore.
Any device that has opened SNMP, Telnet, and TFTP is an easy target. The threat actor can set up a slow brute-force password-guessing routine on Telnet. No one is watching, and no alarms are being triggered. No one in the victim organization knows the break-in is starting.
Once the threat actor gains access to the switch, they can “live off the land” and use that device to move laterally through the network. Or you can pay attention to this advice from Enhanced Visibility and Hardening Guidance for Communications Infrastructure:
“Confirm the integrity of the software image using a trusted hashing calculation utility, if available.”
Yes, I can change the router’s code if I have access to a switch or a router. State-level threat Actors can do the same. This threat vector used to be in the TLP: RED and AMBER+STRICT zone, but it is no longer. Check the code on all your network devices.
Here are some other SNMP, Telnet, and TFTP mapping using the Shadowserver Dashboard (click to pull up the map):
Explore the Shadowserver Dashboard to see other risks that need to be mitigated.
How to Fix the Risk?
Fixing this systemic risk on an extensive network should not be rushed. Assume the threat actors are already inside your network if you have devices with SNMP, Telnet, and TFTP open to the world. Your plan of action needs to be a step-by-step, day-by-day, week-by-week rhythm of action that slowly regains positive control.
Over the next few months (December 2024 to February 2025), I will post, share, and advise organizations on evaluating risk and regaining control. If you need help, email me at bgreene@senki.org.
At the same time, the community teaching these basic BCPs for the past three decades is available at the Forum of Incident Response and Security Teams (FIRST) NETSEC SIG. This is the gathering place of the top network security experts on the planet. The SIG is open to all legitimate network engineers seeking to secure their network & help others protect their networks.
Step 1: Don’t start this on the holidays! If you are at risk, there is no point adding more risk with rapid “emergency changes” during the holidays. Do Steps 2 & 3, then build a step-by-step plan with a daily rhythm of action.
Step 2: Sign up for the Shadowserver Dialy Reports. You do not need to call a vendor. You do not need to run your scans. You do not need to buy and attack surface tools. All you need to start is to sign up for the free Daily Shadowserver Reports and sign up to Shadowserver’s Public announcement mailing list.
+30 years of “securing networks,” and my first step is constantly leveraging the work of the Shadowserver Foundation (more on that in many future posts). Other tools would be used to “kick the miscreants off my network.” The “other tools” and commercial products are after a “Shadowserver Risk Reduction Plan of Action.
Step 3: Do Homework. These Best Common Practices (BCPs) have been taught repeatedly since 1996. The Network Operations Groups (NOGs) are places where these BCPs are taught. Many of these NOGs record the sessions. You can start with APRICOT 2022 DDoS Resiliency Workshop – which covers all these BCPs – as a first step to DDoS resiliency.
What’s next?
Do your homework before spending $$$. Basic BCPs are the first steps to regaining control over threat actors. Stay tuned to the whole series of articles that will review all the recommendations shared in Enhanced Visibility and Hardening Guidance for Communications Infrastructure.
- Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
- Subscribe to the Shaodwserver Foundation’s and Senki’s YouTube Channels. Catch videos designed to help empower you with cost-effective techniques to help you safeguard your network.
- Ask questions to Barry Greene – bgreene@senki.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.