{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/static-tundra/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Static Tundra"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-0171"}],"_cs_exploited":false,"_cs_products":["IOS","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cisco","network-security","configuration-change"],"_cs_type":"threat","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting malicious activity within Cisco IOS devices by analyzing configuration archive logs. Configuration archive logging captures all modifications made to a device\u0026rsquo;s configuration, offering a detailed audit trail. Analyzing these logs allows for the identification of suspicious or malicious activities, such as the creation of backdoor accounts, modifications to SNMP community strings, and the setup of TFTP servers for potential data exfiltration. This detection method is crucial for identifying advanced attack campaigns, exemplified by threat actors like Static Tundra, who often manipulate network configurations to maintain persistence and facilitate lateral movement. The monitoring of configuration changes across different user sessions provides a comprehensive view of device activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the network through an external vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker leverages their initial access to authenticate to a Cisco IOS device.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the device configuration to create a new user account with privilege level 15, effectively creating a backdoor.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the SNMP community string to gain unauthorized access to network monitoring data.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a TFTP server on the Cisco device to enable data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the user table to elevate privileges of existing accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data using the configured TFTP server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco IOS devices can lead to significant network breaches, data exfiltration, and persistent access for malicious actors. Successful exploitation allows attackers to move laterally within the network, gain access to sensitive data, and maintain a foothold for future attacks. The CVE-2018-0171 vulnerability, related to Cisco Smart Install, can allow remote code execution, potentially impacting thousands of devices if not properly patched. Unauthorized configuration changes can disrupt network operations, compromise sensitive data, and damage an organization\u0026rsquo;s reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco IOS archive logging with the commands \u003ccode\u003earchive\u003c/code\u003e and \u003ccode\u003elog config\u003c/code\u003e in global configuration mode to generate the necessary logs for detection.\u003c/li\u003e\n\u003cli\u003eConfigure command logging with \u003ccode\u003earchive log config logging enable\u003c/code\u003e and set appropriate logging levels with \u003ccode\u003elogging trap informational\u003c/code\u003e on Cisco devices to capture configuration changes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Cisco Privilege Escalation via Configuration Change\u0026rdquo; to detect the creation of high-privilege accounts (All_Changes.command=\u0026quot;\u003cem\u003eusername\u003c/em\u003eprivilege 15*\u0026quot;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Cisco SNMP Community String Modification\u0026rdquo; to identify unauthorized changes to SNMP settings (All_Changes.command=\u0026quot;\u003cem\u003esnmp-server community\u003c/em\u003e\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the source device (\u003ccode\u003edest\u003c/code\u003e) and the user (\u003ccode\u003euser\u003c/code\u003e) involved, using the provided drilldown searches.\u003c/li\u003e\n\u003cli\u003eMonitor logs for CVE-2018-0171 and apply necessary patches.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-config-changes/","summary":"This analytic detects suspicious configuration changes on Cisco devices by analyzing archive logs for activities such as backdoor account creation, SNMP community string modifications, and TFTP server configurations, potentially indicating attacker presence and lateral movement.","title":"Detection of Suspicious Cisco Configuration Changes via Archive Logging","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-config-changes/"}],"language":"en","title":"CraftedSignal Threat Feed — Static Tundra","version":"https://jsonfeed.org/version/1.1"}