An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.

Execution Flow

1) Explore

[Identify potential targets] An adversary identifies network boundary devices that can be compromised.

Technique

• The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device.

2) Experiment

[Compromise targets] The adversary must compromise the identified targets in the previous step.

Technique

• Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console.
• Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access.

3) Exploit

[Bridge Networks] The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.

Technique

• The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate.
• Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks.

Prerequisites

The adversary must have control of a network boundary device.

Skills Required

The adversary must understand how to manage the target network device to create or edit policies which will bridge networks.

Resources Required

The adversary requires either high privileges or full control of a boundary device on a target network.

Mitigations

Design: Ensure network devices are storing credentials in encrypted stores
Design: Follow the principle of least privilege and restrict administrative duties to as few accounts as possible. Ensure these privileged accounts are secured with strong credentials which do not overlap with other network devices.
Configuration: When possible, configure network boundary devices to use MFA.
Configuration: Change the default configuration for network devices to harden their security profiles. Default configurations are often enabled with insecure features to allow ease of installation and management. However, these configurations can be easily discovered and exploited by adversaries.
Implementation: Perform integrity checks on audit logs for network device management and review them to identify abnormalities in configurations.
Implementation: Prevent network boundary devices from being physically accessed by unauthorized personnel to prevent tampering.

References

REF-746

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
CISA.
https://www.cisa.gov/uscert/ncas/alerts/TA18-106A

Submission