Cyberattack campaign against various Cisco router models

The attacks began two days after the company corrected a critical vulnerability

A critical vulnerability in various router models was recently solved by Cisco. However, according to network security and ethical hacking specialists from the International Institute of Cyber Security, only two days after the corrections were implemented, hacker groups began conducting scans and launching attacks to exploit the vulnerability and take control of non-updated devices.

The vulnerability CVE-2019-1663 gained notoriety after being publicly disclosed during the last week of February, receiving a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale.

According to network security experts, the vulnerability was scored so high because of its ease of exploitation and that no advanced coding skills are required. In addition the flaw bypasses the entire authentication process and a router can be attacked remotely.

Among the affected router models are Cisco RV110, RV130 and RV215, mainly used in households and small businesses. That’s why users of these devices are unfamiliar with any updating policies so it’s normal for hackers to find vulnerable computers even after Cisco corrected the bug. According to experts in network security, there’s about 12k of these devices functioning, and it is possible to find them with tools like Shodan very easily.

Some members of the cybersecurity community claim that this vulnerability was caused by a neglect of Cisco encoders, which used a function considered insecure (known as string copy).

The experts explained that the use of this function caused the authentication mechanism of the routers to be exposed to a buffer overflow, because of this the attackers injected commands that they executed with administrator privileges during the authentication process.

Manufacturers recommend that the users of these devices apply the updates as soon as possible. If a user believes that his router could have been compromised, it is advisable to update the firmware, the experts mention.