Flagging an important warning from the FBI / IC3, and sharing resources to help you assess and reduce risk. Alert Number: I-082025-PSA - Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure

The High-Level

• The FBI is alerting that Russian FSB cyber actors (aka Center 16 / “Berserk Bear” / “Dragonfly”) are actively exploiting a known vulnerability in Cisco Smart Install (SMI) — CVE-2018-0171 — to target networking devices globally.
• These actors are using SNMP (especially older/insecure versions v1 and v2) and unpatched / end-of-life devices to:

1. Collect configuration files.
2. Modify configs to insert or enable unauthorized access.
3. Do reconnaissance inside victim networks, with particular interest in protocols & applications used in critical infrastructure / industrial control systems.

• The vulnerability and use of legacy/unsecured protocols make aging equipment especially risky. Even if a device is not directly breached, weak practices may allow attackers in.

How Forward Can Help Mitigate Risk

Forward features can help you detect, assess, and remediate exposure related to the concerns in this alert.

•  Device Inventory + Vulnerability Awareness Knowing what devices you have, their software/firmware versions, and whether they’re still supported lets you quickly map risk — which ones are vulnerable to CVE-2018-0171 or have SMI enabled.

• End of Life / End of Sale (EoL/EoS) Checker -  Identifies devices in your network that are past their supported life — these are more likely to have unpatched vulnerabilities and be targeted. Helps enhanced monitoring and prioritize replacement.

• Configuration Monitoring & Change Detection - Show if configs have been modified in unexpected ways (e.g. Smart Install settings, SNMP settings). Early detection is key — attackers modifying configs often precedes deeper compromise.
• Continuous Audits Regular Intent Checks to identify SNMP v1/v2, unpatched firmware versions — catching silent vulnerabilities before they’re exploited.

Next Steps

1. Check your Cisco devices to see if Smart Install is enabled. If yes, disable it if not needed; if needed, ensure it’s configured securely and access is restricted.

2. Use Forward to inventory devices, check for EOL/EOS status, and continuously monitor for vulnerabilities.

3. Update / patch firmware / software on any devices susceptible to CVE-2018-0171 or decommission devices no longer supported (i.e. EOL/EOS).

4. Audit SNMP usage: ensure only SNMP v3 (with encryption/authentication) is used; disable v1 / v2 if possible.

5. Continuously Monitor configurations for unexpected changes.

Please reach out if you have any questions or need assistance.