General Cyber Intel
By Michael Perry and Val Vask
In the aftermath of Cisco’s announcement that several discontinued Integrated Service Routers (ISRs) have been compromised, Cyveillance recommends a thorough screening of networking infrastructure and policy. The impacted models — 1841, 2811, and 3825 — are what Cisco calls “branch routers.” These routers are specifically responsible for addressing the needs of small to medium-sized businesses (SMBs) and serve as gateways to the business owner’s network.
In response to this compromise, Cisco produced a series of articles on how to detect, mitigate, and harden their routers — which can be a time-consuming and expensive process. Further complicating matters, Cisco announced that hardware support for each of these devices will end in about a month. This means responsibility for oversight and management of branch routers will fall solely on SMB owners who don’t have the staffing or resources to prevent and mitigate future attacks.
The debate continues over whether the malicious actors that compromised the routers stole or social engineered their way to obtain valid credentials. One plausible theory suggests that the attackers compromised already-vulnerable routers containing default administrator passwords.
Similarly, security researchers are debating over the origin of the compromise, and its possible state-sponsored connection. Some cyber experts who reviewed this breach quickly attributed the attacks to state-sponsored activity and described the compromise with various other attention-gathering phrases.