Berserk Bear, Energetic Bear, Edge Network Infrastructure, SNMP, CVE-2018-0171, CVE-2008-4128, Living off the Land
Source Material: CISA AA26-194A | Technology: Cisco IOS, SNMP, SMI, Network Edge Devices | Targeted Industries: Critical Infrastructure, Defense Industrial Base, Global Enterprise
Executive Summary
On July 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) and international intelligence partners issued Joint Cybersecurity Advisory AA26-194A. The advisory details a sustained global campaign attributed to the Russian Federal Security Service (FSB) Center 16, commonly tracked as Berserk Bear and Energetic Bear. These threat actors are exploiting poorly configured edge networking devices, specifically routers, switches, and firewalls, to compromise corporate environments.
Rather than leveraging zero-day exploits, these actors systematically abuse legacy protocols and cryptographic misconfigurations. The group is targeting internet-facing networks by abusing the Simple Network Management Protocol (SNMP), exploiting deprecated features like Cisco Smart Install (SMI), exfiltrating unencrypted configuration files over Trivial File Transfer Protocol (TFTP), and targeting unpatched, End-of-Life (EoL) legacy devices.
These exfiltrated configuration files often contain weakly hashed administrative credentials. Once decrypted, threat actors use these credentials to bypass perimeter controls entirely, moving laterally to deploy destructive payloads within highly segregated corporate IT and Operational Technology (OT) networks.
Threat Overview and Strategic Impact
These actors actively scan IPv4 ranges for exposed SNMP agents accepting default or easily guessable community strings. Since legacy SNMP (v1 and v2c) operates over the stateless User Datagram Protocol (UDP), the actors easily spoof their source IP addresses to match trusted internal subnets. This UDP spoofing bypasses standard edge access control lists (ACLs) that rely solely on source IP validation. Once authenticated via plaintext community strings, the actors manipulate the Cisco Config Copy Management Information Base (MIB) by sending specific Object Identifiers (OIDs) instructing the router to dump its running configuration.
Outbound connections originating from these trusted infrastructure assets rarely trigger data loss prevention (DLP) alerts, allowing the configuration files to be quietly exfiltrated to attacker-controlled IPs via Trivial File Transfer Protocol (TFTP). The exfiltrated configuration files expose sensitive routing tables, VPN pre-shared keys, and local administrative credentials. This exposure is compounded by the fact that many organizations still utilize deprecated hashing algorithms for network device credentials. Formats such as Cisco Type 7 are easily reversible, while Type 4 and Type 5 hashes remain highly vulnerable to offline GPU brute-forcing.
When weak SNMP configurations are unavailable, the actors pivot to exploiting known vulnerabilities. This includes targeting the unauthenticated Cisco Smart Install (SMI) protocol (CVE-2018-0171) to extract startup configurations or replace legitimate Cisco IOS images with trojanized firmware. Similarly, the group has a history of targeting legacy, end-of-life hardware by exploiting older vulnerabilities like CVE-2008-4128 (a cross-site request forgery flaw in the Cisco IOS HTTP administration interface). Compromising these edge systems is rarely the final objective; These actors leverage the network foothold to pivot downstream, targeting operational technology (OT) and industrial control systems for espionage or to pre-position for future disruptive operations.
Security Hardening and Recommendations
Organizations relying on legacy flat networks and reactive patching could grant the adversary immediate lateral access via a single edge device compromise. Defense-in-depth requires transitioning to zero-trust segmentation and proactive attack surface management. Ensure out-of-band management (OOBM) is implemented for all infrastructure. Restrict administrative and management interface access strictly to internal, authorized networks.
Enforce a “deny-by-default” perimeter filtering strategy. Evaluate and implement blocking for both inbound and outbound UDP port 69 (TFTP), as well as inbound UDP 161/162 (SNMP) and TCP port 4786 (SMI). Note: There are almost no legitimate production use cases where a core edge router or firewall should initiate a direct outbound TFTP transfer to a public IP on the internet. After evaluating environmental impact, disable the Cisco Smart Install auto-loading feature across all switches by executing the appropriate ‘no vstack’ command.
Disable the use of SNMPv1 and SNMPv2c. Transition to SNMPv3 configured with authPriv for cryptographic enforcement. Tie SNMPv3 to strict Management Information Base (MIB) allowlists using SNMP views. Block access to administrative OIDs, explicitly denying the Cisco Config Copy initialization OID (1.3.6.1.4.1.9.9.96.1.1). Finally, audit all device configurations to remove legacy password hashes. Upgrade all local administrative accounts to Type 8 (PBKDF2-SHA256) cryptography.
Establish an aggressive device-lifecycle management program to identify and retire legacy, End-of-Life (EoL) infrastructure. These threat actors continue to exploit historic, unpatchable flaws such as CVE-2008-4128 (multiple Cross-Site Request Forgery vulnerabilities in the legacy Cisco IOS HTTP Administration component).
If legacy edge routers cannot be immediately decommissioned:
- Disable HTTP and HTTPS administrative access by executing the no ip http server and no ip http secure-server commands to prevent the exploitation of legacy web interface vulnerabilities. See the Cisco IOS Hardening Guide for more information.
- Isolate any remaining legacy device management planes to physical out-of-band networks.
Detection Strategy
Monitor the network perimeter for anomalous administrative traffic. Correlate unexpected inbound SNMP Set-Requests with any subsequent outbound TFTP (UDP port 69) traffic originating from edge devices.
Deploy custom intrusion detection system (IDS) signatures to alert immediately if the Cisco Config Copy OID is queried by an IP outside the designated and properly isolated management subnet. Do not treat edge devices as the definitive source of truth for their own configurations. Deploy centralized configuration management platforms to track cryptographic hashes of “golden” configurations. Unauthorized drift, such as a modified static route or a newly created local user account, warrants investigation and response.
How Deepwatch Protects Our Customers
Deepwatch experts continuously monitor customer telemetry for exploitation activity, including the TTPs utilized by these threat actors. To support this continuous monitoring, Deepwatch actively tracks the global threat landscape, collecting and analyzing emerging intelligence related to FSB Center 16 operations on an ongoing basis. This continuous intelligence analysis is systematically mapped to our detection library, ensuring we maintain robust, validated coverage against the evolving tactics, techniques, and procedures (TTPs) utilized by these threat actors.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Review perimeter firewall logs for anomalous UDP port 69 (TFTP) traffic originating from core routers, firewalls, or VPN concentrators.
- Inspect SNMP traffic logs for unexpected source IPs (including spoofed internal addresses) accessing the management plane of edge devices.
- Hunt for the execution of the show vstack config or no vstack commands within centralized TACACS+ AAA command accounting logs or local syslog messages matching facility severity 5 (%SYS-5-CONFIG_I) to identify potential unauthorized SMI reconnaissance or manipulation..
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- FSB Center 16 (Aliases: Berserk Bear, Energetic Bear, Dragonfly, Crouching Yeti)
Attack Pattern (MITRE ATT&CK/MITRE ATLAS):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Reconnaissance | Active Scanning | T1595.001 | Scanning global IPv4 ranges for exposed SNMP and SMI ports. |
| Reconnaissance | Vulnerability Scanning | 1595.002 | Scanning for CVE-2018-0171 and CVE-2008-4128 |
| Execution | Inter-Process Communication | T1569 | Using SNMP Set-Requests to trigger automated configuration actions. |
| Credential Access | OS Credential Dumping | T1003 | Harvesting configuration files containing deprecated password hashes. |
| Defense Evasion | IP Spoofing | T1027 | Spoofing UDP packets to masquerade as trusted internal management hosts. |
| Exfiltration | Exfiltration Over Alternative Protocol | T1048 | Transmitting collected configurations outboard via unencrypted TFTP. |
| Resource Development | Acquire Infrastructure: Virtual Private Servers | T1583.003 | Leverages leased Virtual Private Servers (VPS) as infrastructure. |
| Resource Development | Compromise Infrastructure: Network Devices | T1584.008 | Compromises intermediate routers to mask activity. |
| Resource Development | Obtain Capabilities: Exploits | T1588.005 | Uses publicly available code to exploit vulnerable edge devices. |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploits publicly known CVEs (e.g., CVE-2018-0171, CVE-2008-4128) on edge interfaces. |
| Command and Control | Proxy | T1090 | Uses actor-controlled leased VPS infrastructure for C2 and to direct network traffic. |
| Command and Control | Application Layer Protocol | T1071 | Opens and exposes services like TFTP and FTP for communication. |
| Collection | Data from Configuration Repository: SNMP (MIB Dump) | T1602.001 | Targets specific MIBs to collect network information via SNMP. |
| Collection | Data from Configuration Repository: Network Device Configuration Dump | T1602.002 | Acquires sensitive credentials and routing data by dumping network device configurations. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Exploits known CVEs for escalated privileges on edge hardware. |
Vulnerabilities:
- CVE-2018-0171 -Cisco Smart Install Remote Code Execution Vulnerability
- CVE-2008-4128 – Cisco IOS Cross-Site Request Forgery Vulnerability (Note: Affects End-of-Life legacy devices only)
Malware/Tool:
- Unknown
Additional Sources
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180409-smi
- https://sec.cloudapps.cisco.com/security/center/resources/IOS_XE_hardening
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a
- https://media.defense.gov/2026/Jul/09/2003959459/-1/-1/0/CSI_REDUCING_RISK_OF_SNMP_ABUSE.PDF
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
- https://media.defense.gov/2022/Feb/17/2002940795/-1/-1/1/CSI_CISCO_PASSWORD_TYPES_BEST_PRACTICES_20220217.PDF
- https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022
Share