How to spot (and stop) router compromise

Router compromise. Hardly the most nerve-wracking phrase in the cybercrime lexicon, but one that is a fast-increasing threat for every single Australian business. Last year saw widespread warnings about router security, with computer electronics company ASUS identifying vulnerabilities in its hardware and the Australian Cyber Security Centre (ACSC) noting that many organisations lost critical configuration files due to router compromise.

It’s an issue that every organisation needs to put on their data security agenda – has yours begun the process?

What is router compromise, and how does it work?

Router compromise is a fairly sophisticated form of data breach. Malicious entities conduct automated scans of routers to identify hardware that is vulnerable to an attack. This enables an adversary to extract configuration files, from which point they may be able to control or manipulate any devices that connect to your network, as well as the Internet connection itself.

In most cases so far, cyber attacks on routers have focused on those with Simple Network Management Protocol (SNMP) that is exposed to the Internet. This is a default setting, usually established during the setup of a network. While many organisations turn SNMP off after this process is complete, many more have left it open, creating risk of compromise. The ACSC has noted that router switches with Cisco Smart Install exposed to the Internet are also susceptible to router scanning and hacking.

How can you identify router compromise?

If your organisation’s router has this exposure to attacks, there are some straightforward checks that network administrators can take immediately. You should check network logs for:

  • Unexpected SNMP queries; or queries of unknown origin.
  • Command outputs or network configurations that have come from outside sources – particularly through Trivial File Transfer Protocol (TFTP).
  • Configurations that apply to GRE tunnels you would not expect changes to.

If any of these red flags emerge, it may be time to conduct a thorough assessment of the threat, in line with the Notifiable Data Breaches scheme guidelines from the Office of the Australian Information Commissioner.

How can you prevent router compromise?

The first step in prevention is the simplest – if your router has SNMP which is exposed to the Internet, disable it. If you require read/write capabilities with your SNMP, ensure it cannot connect with unauthorised or untrusted third parties. Alternatively, you can upgrade your SNMP to version 3 and adjust all of the community strings to an appropriate setting.

Similarly, for Cisco router users, if you do not require Cisco Smart Install to be active, disable it. You can also begin using Access Control Lists (ACL), which limit the access SNMP has to network configurations. Finally, you can configure your anti-spoofing protocols to drop any packets at the edge of your network which come from unauthorised sources.

The ACSC is also proactively scanning Australian IP address ranges, looking for vulnerable or compromised routers.

Mitigate the impacts of router scanning today

If your organisation suffers a router compromise-related attack, the costs can be far-reaching. Beyond the money spent eradicating the threat and hardening/patching your systems, significant data breaches require comprehensive follow-up action with both the OAIC and any affected third parties.

Hardware may need to be replaced, staff upskilled, and consumer relations or company reputation may suffer irreparable damage if an attack threatens an individual’s safety.

Cyber criminals are becoming more and more sophisticated, with router scanning just one example of new ways your systems can be breached. To stay on the cutting edge of data security, it’s critical you work with partners who can provide around-the-clock service, proactively anticipate threats and shut down risks before they spread.

To learn more about router vulnerability and other cyber risk areas, our 24 page eBook, IT Managers: Set your Network Defences to Stunning, is a great resource with tips you can use to identify, contain and prevent cyber security threats. You can download it here.

That’s the difference Over the Wire will make. Contact the team today to find out more.

Contact Us

You can reach us by phone on 1300 689 689, or mail our sales team using the form below.