2027 CISO Priorities: Where Security Leaders Are Investing in the AI Era Register Now →

High

CA-26-025: Hardening Edge Network Infrastructure Against Known Berserk Bear and Energetic Bear Exploitation

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 7 minutes

Berserk Bear, Energetic Bear, Edge Network Infrastructure, SNMP, CVE-2018-0171, CVE-2008-4128, Living off the Land

Source Material: CISA AA26-194A | Technology: Cisco IOS, SNMP, SMI, Network Edge Devices  | Targeted Industries: Critical Infrastructure, Defense Industrial Base, Global Enterprise

Executive Summary

On July 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) and international intelligence partners issued Joint Cybersecurity Advisory AA26-194A. The advisory details a sustained global campaign attributed to the Russian Federal Security Service (FSB) Center 16, commonly tracked as Berserk Bear and Energetic Bear. These threat actors are exploiting poorly configured edge networking devices, specifically routers, switches, and firewalls, to compromise corporate environments.

Rather than leveraging zero-day exploits, these actors systematically abuse legacy protocols and cryptographic misconfigurations. The group is targeting internet-facing networks by abusing the Simple Network Management Protocol (SNMP), exploiting deprecated features like Cisco Smart Install (SMI), exfiltrating unencrypted configuration files over Trivial File Transfer Protocol (TFTP), and targeting unpatched, End-of-Life (EoL) legacy devices.

These exfiltrated configuration files often contain weakly hashed administrative credentials. Once decrypted, threat actors use these credentials to bypass perimeter controls entirely, moving laterally to deploy destructive payloads within highly segregated corporate IT and Operational Technology (OT) networks.

Threat Overview and Strategic Impact

These actors actively scan IPv4 ranges for exposed SNMP agents accepting default or easily guessable community strings. Since legacy SNMP (v1 and v2c) operates over the stateless User Datagram Protocol (UDP), the actors easily spoof their source IP addresses to match trusted internal subnets. This UDP spoofing bypasses standard edge access control lists (ACLs) that rely solely on source IP validation. Once authenticated via plaintext community strings, the actors manipulate the Cisco Config Copy Management Information Base (MIB) by sending specific Object Identifiers (OIDs) instructing the router to dump its running configuration. 

Outbound connections originating from these trusted infrastructure assets rarely trigger data loss prevention (DLP) alerts, allowing the configuration files to be quietly exfiltrated to attacker-controlled IPs via Trivial File Transfer Protocol (TFTP). The exfiltrated configuration files expose sensitive routing tables, VPN pre-shared keys, and local administrative credentials. This exposure is compounded by the fact that many organizations still utilize deprecated hashing algorithms for network device credentials. Formats such as Cisco Type 7 are easily reversible, while Type 4 and Type 5 hashes remain highly vulnerable to offline GPU brute-forcing.

When weak SNMP configurations are unavailable, the actors pivot to exploiting known vulnerabilities. This includes targeting the unauthenticated Cisco Smart Install (SMI) protocol (CVE-2018-0171) to extract startup configurations or replace legitimate Cisco IOS images with trojanized firmware. Similarly, the group has a history of targeting legacy, end-of-life hardware by exploiting older vulnerabilities like CVE-2008-4128 (a cross-site request forgery flaw in the Cisco IOS HTTP administration interface). Compromising these edge systems is rarely the final objective; These actors leverage the network foothold to pivot downstream, targeting operational technology (OT) and industrial control systems for espionage or to pre-position for future disruptive operations.

Security Hardening and Recommendations

Organizations relying on legacy flat networks and reactive patching could grant the adversary immediate lateral access via a single edge device compromise. Defense-in-depth requires transitioning to zero-trust segmentation and proactive attack surface management. Ensure out-of-band management (OOBM) is implemented for all infrastructure. Restrict administrative and management interface access strictly to internal, authorized networks.

Enforce a “deny-by-default” perimeter filtering strategy. Evaluate and implement blocking for both inbound and outbound UDP port 69 (TFTP), as well as inbound UDP 161/162 (SNMP) and TCP port 4786 (SMI). Note: There are almost no legitimate production use cases where a core edge router or firewall should initiate a direct outbound TFTP transfer to a public IP on the internet. After evaluating environmental impact, disable the Cisco Smart Install auto-loading feature across all switches by executing the appropriate ‘no vstack’ command.

Disable the use of SNMPv1 and SNMPv2c. Transition to SNMPv3 configured with authPriv for cryptographic enforcement. Tie SNMPv3 to strict Management Information Base (MIB) allowlists using SNMP views. Block access to administrative OIDs, explicitly denying the Cisco Config Copy initialization OID (1.3.6.1.4.1.9.9.96.1.1). Finally, audit all device configurations to remove legacy password hashes. Upgrade all local administrative accounts to Type 8 (PBKDF2-SHA256) cryptography.

Establish an aggressive device-lifecycle management program to identify and retire legacy, End-of-Life (EoL) infrastructure. These threat actors continue to exploit historic, unpatchable flaws such as CVE-2008-4128 (multiple Cross-Site Request Forgery vulnerabilities in the legacy Cisco IOS HTTP Administration component).

If legacy edge routers cannot be immediately decommissioned:

  • Disable HTTP and HTTPS administrative access by executing the no ip http server and no ip http secure-server commands to prevent the exploitation of legacy web interface vulnerabilities. See the Cisco IOS Hardening Guide for more information.
  • Isolate any remaining legacy device management planes to physical out-of-band networks.

Detection Strategy

Monitor the network perimeter for anomalous administrative traffic. Correlate unexpected inbound SNMP Set-Requests with any subsequent outbound TFTP (UDP port 69) traffic originating from edge devices.

Deploy custom intrusion detection system (IDS) signatures to alert immediately if the Cisco Config Copy OID is queried by an IP outside the designated and properly isolated management subnet. Do not treat edge devices as the definitive source of truth for their own configurations. Deploy centralized configuration management platforms to track cryptographic hashes of “golden” configurations. Unauthorized drift, such as a modified static route or a newly created local user account, warrants investigation and response.

How Deepwatch Protects Our Customers

Deepwatch experts continuously monitor customer telemetry for exploitation activity, including the TTPs utilized by these threat actors. To support this continuous monitoring, Deepwatch actively tracks the global threat landscape, collecting and analyzing emerging intelligence related to FSB Center 16 operations on an ongoing basis. This continuous intelligence analysis is systematically mapped to our detection library, ensuring we maintain robust, validated coverage against the evolving tactics, techniques, and procedures (TTPs) utilized by these threat actors.

Relevant Detections

Please visit Security Center to access the relevant detections for this activity.

Threat Hunting Leads

  • Review perimeter firewall logs for anomalous UDP port 69 (TFTP) traffic originating from core routers, firewalls, or VPN concentrators.
  • Inspect SNMP traffic logs for unexpected source IPs (including spoofed internal addresses) accessing the management plane of edge devices.
  • Hunt for the execution of the show vstack config or no vstack commands within centralized TACACS+ AAA command accounting logs or local syslog messages matching facility severity 5 (%SYS-5-CONFIG_I) to identify potential unauthorized SMI reconnaissance or manipulation..

Technical Artifacts 

Please visit Security Center to access the associated technical artifacts.

Threat Object Mapping

Intrusion Set:

  •  FSB Center 16 (Aliases: Berserk Bear, Energetic Bear, Dragonfly, Crouching Yeti)

Attack Pattern (MITRE ATT&CK/MITRE ATLAS):

TacticTechniqueTechnique IDAssociated Threat Activity
ReconnaissanceActive ScanningT1595.001Scanning global IPv4 ranges for exposed SNMP and SMI ports.
ReconnaissanceVulnerability Scanning1595.002Scanning for CVE-2018-0171 and CVE-2008-4128
ExecutionInter-Process CommunicationT1569Using SNMP Set-Requests to trigger automated configuration actions.
Credential AccessOS Credential DumpingT1003Harvesting configuration files containing deprecated password hashes.
Defense EvasionIP SpoofingT1027Spoofing UDP packets to masquerade as trusted internal management hosts.
ExfiltrationExfiltration Over Alternative ProtocolT1048Transmitting collected configurations outboard via unencrypted TFTP.
Resource DevelopmentAcquire Infrastructure: Virtual Private ServersT1583.003Leverages leased Virtual Private Servers (VPS) as infrastructure.
Resource DevelopmentCompromise Infrastructure: Network DevicesT1584.008Compromises intermediate routers to mask activity.
Resource DevelopmentObtain Capabilities: ExploitsT1588.005Uses publicly available code to exploit vulnerable edge devices.
Initial AccessExploit Public-Facing ApplicationT1190Exploits publicly known CVEs (e.g., CVE-2018-0171, CVE-2008-4128) on edge interfaces.
Command and ControlProxyT1090Uses actor-controlled leased VPS infrastructure for C2 and to direct network traffic.
Command and ControlApplication Layer ProtocolT1071Opens and exposes services like TFTP and FTP for communication.
CollectionData from Configuration Repository: SNMP (MIB Dump)T1602.001Targets specific MIBs to collect network information via SNMP.
CollectionData from Configuration Repository: Network Device Configuration DumpT1602.002Acquires sensitive credentials and routing data by dumping network device configurations.
Privilege EscalationExploitation for Privilege EscalationT1068Exploits known CVEs for escalated privileges on edge hardware.

Vulnerabilities:

  • CVE-2018-0171 -Cisco Smart Install Remote Code Execution Vulnerability
  • CVE-2008-4128 – Cisco IOS Cross-Site Request Forgery Vulnerability (Note: Affects End-of-Life legacy devices only)

Malware/Tool:

  • Unknown

Additional Sources

Share

LinkedIn Twitter Facebook