Threat Actors Can Use Old Routers’ Data to Breach Corporate Networks
An Experiment Shows that Majority of Ex-corporate Core Routers are Improperly Wiped.
Discarded routers that are for sale on the secondary market are usually improperly wiped, an experiment shows. Threat actors can reboot sensitive data that haven’t been completely erased from them.
Cybercriminals can use information about network configuration and details about the initial owner to breach corporate networks or can sell them online.
Details About the Experiment
ESET researchers started by buying 19 second-hand core routers. After a few tests, they discovered that they could still reach important information on more than half of these routers.
Core routers interconnect network devices, enable various data connection interfaces, and send IP packets at a great speed. That is why you can also call them the backbone of a network.
The equipment consisted of four devices from Cisco (ASA 5500), three from Fortinet (Fortigate series), and 11 from Juniper Networks (SRX Series Services Gateway). But one device was no longer functional, and two of them contained the same data. So, the experiment refers to the remaining 16 devices.
The data was erased properly only on five of these core routers, and admins only hardened, making access to data more challenging.
One device even belonged to a managed security services provider (MSSP) that handled networks for hundreds of clients in various sectors (e.g. education, finance, healthcare, manufacturing).
What Data Was There to Grab
If such devices would be purchased by hackers, the business that decommissioned them would face serious cybersecurity challenges.
Although not all data from a core router could be restored, malicious actors could get enough details about the company, how they designed the network, connections between systems, etc.
Researchers warn that some devices even contained credentials that allowed third-party connections to the network. Furthermore, eight routers disclosed router-to-router authentication keys and hashes.
The list of corporate secrets extended to complete maps of sensitive applications hosted locally or in the cloud. Some examples include Microsoft Exchange, Salesforce, SharePoint, Spiceworks, VMware Horizon, and SQL.
But, with access to this kind of information, an adversary might easily devise a strategy for an assault vector that would lead them covertly deep inside the network.
With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens.
This experiment is only underlining the importance of data erasure for discarded network devices. It is vital for businesses to have policies in place for the secure disposal of their digital assets.
When it comes to corporate network devices, the administrator should execute a few commands in order to securely wipe and reset the settings. If not, anybody can restart the routers in recovery mode, which enables examining the configuration.
Also, using a third-party service for this specific task may not be a solution, as this is a sensitive matter. In conclusion, the best practice is to follow the device creator’s recommendations regarding cleaning the machine and restoring factory settings.