Hackers can breach networks using data on resold corporate routers

Enterprise-level network equipment on the secondary market hide sensitive data that hackers could use to breach corporate environments or to obtain customer information.

Looking at several used corporate-grade routers, researchers found that most of them had been improperly wiped during the decommissioning process and then sold online.

Core routers for sale

Researchers at cybersecurity company ESET purchased 18 used core routers and found that the full configuration data could still be accessed on more than half of those that worked properly.

Core routers are the backbone of a large network as they connect all other network devices. They support multiple data communication interfaces and are designed to forward IP packets at the highest speeds.

Initially, the ESET research team bought a few used routers to set up a test environment and found they had not been properly wiped and contained network configuration data as well as information that helped identify the previous owners.

The purchased equipment included four devices from Cisco (ASA 5500), three from Fortinet (Fortigate series), and 11 from Juniper Networks (SRX Series Services Gateway).

In a report earlier this week, Cameron Camp and Tony Anscombe say that one device was dead on arrival and eliminated from the tests and two of them were a mirror of each other and counted as one in the evaluation results.

Of the remaining 16 devices, only five were properly wiped and just two had been hardened, making some of the data more difficult to access.

For most of them, though, it was possible to access the complete configuration data, which is a trove of details about the owner, how they set up the network, and the connections between other systems.

With corporate network devices, the administrator needs to run a few commands to securely wipe the configuration and reset it. Without this, the routers can be booted into a recovery mode that allows checking how it was set up.

Secrets in the network

The researchers say that some of the routers retained customer information, data that allowed third-party connections to the network, and even “credentials for connecting to other networks as a trusted party.”

Additionally, eight of the nine routers that exposed the full configuration data also contained router-to-router authentication keys and hashes.

The list of corporate secrets extended to complete maps of sensitive applications hosted locally or in the cloud. Some examples include Microsoft Exchange, Salesforce, SharePoint, Spiceworks, VMware Horizon, and SQL.

“Due to the granularity of the applications and the specific versions used in some cases, known exploits could be deployed across the network topology that an attacker would already have mapped” - ESET

Such extensive insider details are typically reserved for “highly credentialed personnel” such as network administrators and their managers, the researchers explain.

An adversary with access to this type of information could easily come up with a plan for an attack path that would take them deep inside the network undetected.

“With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens” - ESET

Based on the details uncovered in the routers, several of them had been in environments of managed IT providers, who operate the networks of large companies.

One device even belonged to a managed security services provider (MSSP) that handled networks for hundreds of clients in various sectors (e.g. education, finance, healthcare, manufacturing).

Following their findings, the researchers highlight the importance of properly wiping network devices before getting rid of them. Companies should have procedures in place for the secure destruction and disposal of their digital equipment.

The researchers also warn that using a third–party service for this activity may not always be a good idea. After notifying the owner of a router of their findings, they learned that the company had used such a service. “That clearly didn’t go as planned.”

The advice here is to follow the recommendations from the device maker to clean the equipment of potentially sensitive data and bring it to a factory default state.

Related Articles:

New Google Chrome feature blocks attacks against home networks

NSA shares zero-trust guidance to limit adversaries on the network

Russian hackers hijack Ubiquiti routers to launch stealthy attacks

New Fortinet RCE bug is actively exploited, CISA confirms

New Fortinet RCE flaw in SSL VPN likely exploited in attacks