Company secrets and data on decommissioned corporate routers

Η ESET, a global leader in digital security, presented new research into enterprise network devices that were retired and then sold on the secondary market. THE ESET examined configuration data from 16 different corporate routers and found that over 56% – nine routers – still contained sensitive corporate data.

In the wrong hands, this data is enough to trigger a cyberattack that would lead to data, putting the company, its partners and customers at risk.routers

Of the nine devices:

  • 22% contained customer data
  • 33% contained data that allowed third-party connections to the network.
  • 44% had credentials to connect to other networks as a trusted party.
  • 89% contained app-specific login details
  • 89% contained router-to-router authentication
  • 100% contained one or more of IPsec or VPN credentials or root codes.
  • 100% had sufficient data to reliably identify the former owner/operator

"Our findings are extremely disturbing and should wake us upsaid Cameron Camp, an ESET security researcher who led the investigation. "We would expect that the medium and large size they would have a strict set of security initiatives in place to retire devices, but we found the opposite. Organizations need to be very careful about what remains on the devices they put up for sale, as the majority of devices we took from the secondary market contained a digital blueprint of the company involved, including but not limited to basic network information, application data, corporate credentials and information about partners, suppliers and customers”.

Organizations often recycle old devices through third-party companies tasked with verifying the safe destruction or recycling of digital equipment and the disposal of the data contained within it.

Whether due to the recycling company's error or the company's disposal procedures, a range of data was found on corporate routers, including:

  • Third party data: As we've seen in cyber attacks, a breach of a company's network can spread to customers, partners and other businesses they may be connected to.
  • Trusted places: Trusted parties (which could be used as a secondary attack vehicle) would accept certificates and cryptographic tokens found on these devices, allowing for a very convincing adversary in the middle (AitM) attack with trusted credentials, capable of extracting corporate secrets, with victims not knowing about it for long periods of time.
  • Customer data: This can cause potential security issues for clients if an adversary is able to obtain specific information about them.
  • Special applications: These devices contained information of the most important applications used by specific organizations, both on-premises and in the cloud. These applications range from corporate e-mail to secure customer logins, physical building security information such as vendors and topologies for access cards and networks with , as well as suppliers and sales and customer platforms. In addition, ESET researchers were able to determine which ports and from which hosts these applications are communicating. Due to the granularity of the applications and the specific versions used in some cases, known vulnerabilities could be exploited throughout the network topology that an attacker would have already mapped.
  • Extended routing information: ESET found full layouts of various organizations' internal operations, which would provide extensive network topology information to exploit if the devices fell into the hands of an adversary. The recovered configurations also contained local and international locations of remote offices and operators, including their relationship to headquarters – more data that would be extremely valuable to potential adversaries. IPsec tunneling can be used to connect trusted routers to each other, which can be a component of peer-to-peer WAN router setups.
  • Trusted operators: The devices were filled with potentially recoverable or instantly reusable corporate credentials – including admin logins, VPN credentials and cryptographic keys – that would allow malicious actors to gain access to the entire network.

"There are well-structured procedures in place for proper hardware retirement, and this research shows that many companies do not strictly follow them when preparing devices for the hardware aftermarket," said Tony Anscombe, ESET's Chief Security Evangelist. “Exploiting a vulnerability or spearphishing for credentials is potentially hard work. But our research shows that there is a much easier way to get this data, and more. We urge organizations involved in device disposal, data destruction, and device resale to carefully review their processes and ensure they comply with the latest NIST standards for media retirement."

The routers of the survey came from from medium enterprises to large multinationals operating in various industries (data centers, law firms, technology providers, construction companies, technology companies, creative agencies and software development companies).

As part of the process, η ESET, where possible, communicated the findings to each organization – several of which were well-known companies – to ensure they were aware of details potentially compromised by others in the devices' chain of custody.

Some of the organizations were extremely reluctant to ESET's repeated attempts to contact them, while others indicated the required treating the incident as a complete security breach.

It is reminded that organizations must use a trusted, competent third party to dispose of the devices or take all necessary precautions if handling the withdrawal themselves. This should extend beyond routers and hard drives to every device that is part of the network.

Many organizations surveyed may have felt they had contracted with trusted vendors, but their data was still being leaked. With this in mind, organizations are advised to follow the manufacturer's instructions for removing all data from a device before it leaves their premises, a simple step that many IT staff can handle.

It is a reminder that organizations must take disclosure notifications seriously. Otherwise they may be vulnerable to a costly data breach and significant reputational damage.

To read the white paper, which includes information on safe device disposal, visit the new publication “Discarded, not destroyed: Old routers reveal corporate secrets”At WeLiveSecurity.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
routers

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).