Researchers are warning about a dangerous wave of unwiped, secondhand core-routers:
Cameron Camp had purchased a Juniper SRX240H router last year on eBay to use in a honeypot network he was building to study remote desktop protocol (RDP) exploits and attacks on Microsoft Exchange and industrial control systems devices. When the longtime security researcher at Eset booted up the secondhand Juniper router, to his surprise it displayed a hostname.
After taking a closer look at the device, Camp contacted Tony Anscombe, Eset's chief security evangelist, to alert him what he found on the router. "This thing has a whole treasure trove of Silicon Valley A-list software company information on it," Camp recalls telling Anscombe.
"We got very, very concerned," Camp says.
Camp and Anscombe decided to test their theory that this could be the tip of the iceberg for other decommissioned routers still harboring information from their previous owners' networks. They purchased several more decommissioned core routers -- four Cisco Systems ASA 5500, three Fortinet FortiGate, and 11 Juniper Networks SRX Series Services Gateway routers.
After dropping a few from the mix after one failed to power up and another two were actually mirrored routers from a former cluster, they found that nine of the remaining 16 held sensitive core networking configuration information, corporate credentials, and data on corporate applications, customers, vendors, and partners. The applications exposed on the routers were big-name software used in many enterprises: Microsoft Exchange, Lync/Skype, PeopleSoft, Salesforce, Microsoft SharePoint, Spiceworks, SQL, VMWare Horizon View, voice over IP, File Transfer Protocol (FTP), and Lightweight Directory Access Protocol (LDAP) applications.
[...] The routers contained one or more IPSec or VPN credentials, or hashed root passwords, and each had sufficient data for the researchers to identify the actual previous owner/operator of the device. Nearly 90% included router-to-router authentication keys and details on applications connected to the networks; some 44% had network credentials to other networks (such as a supplier or partner); 33% included third-party connections to the network; and 22% harbored customer information.
Camp says the discovery was a far cry from the malware he typically studies, and a lot less work for an attacker who happened upon one of these unwiped routers. "I don't need a zero day, I have your router," quips Camp.
[...] Meanwhile, one of the unwiped routers contained what Camp describes as a "creepy" remote administration interface.
"I was never sure if it was on purpose, but it was creepy, very low-level access, and from one of the countries with flags that we're [the US] not happy with right now," he says. "It could be totally legit or that could be really bad. It was a little edgy to me."
[...] So how do you wipe a router that you want to retire? The good news is most routers are fairly easy to securely decommission, and the big three Cisco, Fortinet, and Juniper on their websites provide detailed guidelines for restoring devices to their factory default settings.
[...] And if your organization already had disposed of routers that weren't properly wiped, Eset recommends rotating cryptographic keys in case an attacker were to get their hands on your old router and attempt to gain trusted access to your network. Zero trust can help here as well, they say.
[...] If you buy a secondhand core router, and like the researchers find that it still contains the previous owner's information, Eset recommends disconnecting the router and moving it to a secured area and contact your regional CISA office. They also say it's best to document your purchase process as a precaution for insurance or legal purposes.
(Score: -1, Offtopic) by hopdevil on Thursday April 20, @12:19AM (2 children)
Best assumption with any system is to assume it is connected to and all traffic is flowing over the internet... This is yet another classic example of why. Unfortunately people, alleged "security" professionals, still insist on VPNs and private network security. Of course the decommissioning process/people are being blamed for this, but it really is the insistence on fundamental bad practices.
(Score: 3, Insightful) by coolgopher on Thursday April 20, @06:14AM
In the case of BGP, you really want to have peer keys configured so your traffic don't get hijack-routed via Russia/NKorea/China/wherever.
Not wiping systems before offloading them, now that's fundamental bad practice.
(Score: 3, Insightful) by Anonymous Coward on Thursday April 20, @08:24AM
That's as stupid as saying that using locks for your private stuff is bad practice just because someone left spare keys to the locks in stuff that was disposed off.
(Score: 2) by quietus on Thursday April 20, @05:34PM
Cisco ASA isn't a router; it's a firewall/load balancer. Further to the article: I've dealt with plenty of second-hand routers purchased via ebay; all of them were wiped clean (apart from a core ISP router which came from former Eastern Germany). Something else: you buy an expensive Juniper router because you want to sniff RDP protocol or attacks? Any cheap [enterprise] router would do, with a switch in between the honeypot server(s) and your router. I doubt these guys have much practical experience.