Posted on April 22, 2023 at 7:43 AM
Hackers could access sensitive information from resold enterprise-level network equipment
Hackers could exploit enterprise-level network equipment being sold on the secondary market. Such equipment hides sensitive data that hackers could use to obtain unauthorized access to corporate environments or steal customer information.
Resold corporate grade routers susceptible to hacks
When enterprises want to replace their routers, they often turn to the secondary market to resell them. However, researchers say most of these routers are wiped improperly when decommissioning before being sold online. As such, hackers can use them to obtain sensitive information or breach corporate networks.
Researchers at the ESET cybersecurity company exposed the vulnerabilities posed by these decommissioned routers. These researchers bought 18 core routers that were previously used. They discovered that the configuration data could still be accessed on over half of the routers that still worked.
Core routers are used on large networks. The equipment links all the other devices on the network. These routers also support several data communication interfaces, and they have been designed to forward IP packets at high speeds.
The research team at ESET purchased several used routers to create a test environment. The team discovered that these routers were not wiped correctly and contained network configuration data. They also contained information that could help in identifying the former owners.
The devices purchased by the researchers included four devices from Cisco, three from Fortinet, and 11 from Juniper Networks. Another report released this week said that one of the devices did not work and was not included in the tests.
Two of the devices were the same, and they were evaluated as one in the evaluation results. Only five out of the other 16 devices were wiped correctly, and two of them were hardened in a manner that made it too complex to access data. However, accessing the entire configuration data was possible on most devices. The data includes the owner’s details, network setup, and system connection.
Core routers used on corporate networks need the administrators to run several commands to reset and wipe the configuration. If the administrator does not do this, these routers can be restarted into a recovery mode that will support checks on how the configuration and setup was done.
Sensitive information in the routers
According to the researchers, some core routers retained some customer information. The data supported third-party connections within the network. A hacker could also access credentials used to connect to other networks.
Nine routers used in the research exposed the entire configuration data, and one out of these also harbored the router-to-router authentication keys and hashes. The sensitive data also includes the complete maps of sensitive applications harbored locally or in the cloud.
Some examples of sensitive applications include Microsoft Exchange, SharePoint, Salesforce, VMware Horizon, Spiceworks, and SQL. The ESET researchers noted that the nature of the applications and specific versions made it possible for known exploits to be deployed across the entire network as mapped by the hacker.
The insider details, in this case, are reserved for personnel with high credentials, including network administrators and their managers. A threat actor who could access this information could easily formulate a plan for the attack to give them access to the entire network without triggering an alert.
The researchers said, “With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens.”
The details contained within the routers also showed that some operated in an environment of managed IT providers that operate the networks relied upon by large companies. One of the devices was owned by a managed security services provider (MSSP) that handled the networks of clients spawned across various industries such as healthcare, finance, education, and manufacturing.
This research shows that it is important to wipe data on network devices appropriately before getting rid of them. Moreover, companies need mechanisms to destroy and dispose of their digital equipment securely. The researchers have also urged companies to refrain from using third-party services to wipe network devices.
They noted that after contacting one of the companies that had sold their routers, they detected that they had used a third-party service. Therefore, companies must follow the recommendations laid out by the makers of these devices to clean the equipment of any sensitive data that can be used in a hacking attack.
