In a joint warning, US and UK cybersecurity and intelligence agencies have alerted the public to Russian nation-state actors exploiting Cisco routers through previously patched vulnerabilities. These hackers have been conducting reconnaissance and deploying malware against their targets, compromising Cisco equipment.
APT28: A persistent threat
The intrusions occurred in 2021, targeting a small number of European entities, US government institutions, and approximately 250 Ukrainian victims. This activity is associated with a threat actor called APT28. They are also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy. APT28 is affiliated with the Russian General Staff Main Intelligence Directorate (GRU).
The National Cyber Security Centre (NCSC) stated that APT28 accessed vulnerable routers through default and weak SNMP community strings. They also exploited CVE-2017-6742, a vulnerability with a CVSS score of 8.8. This flaw is a remote code execution issue, caused by a buffer overflow in the SNMP subsystem of Cisco IOS and IOS XE Software.
In the observed attacks, Russian hackers used this vulnerability to deploy Jaguar Tooth malware on Cisco routers. This malware gathers device info and allows unauthenticated backdoor access.
Patch management and preventive measures
Although the issues were addressed in June 2017, they have been publicly exploited since January 11, 2018. This highlights the importance of robust patch management practices to minimize the attack surface.
Cisco suggests updating to the latest firmware to address potential threats. Additionally, users should switch from SNMP to NETCONF or RESTCONF for network management.
Cisco Talos, in a coordinated advisory, revealed that Russian hackers are behind these attacks, which are part of a broader campaign targeting aging networking appliances and software from various vendors. The goal is to advance espionage objectives or prepare for potential future destructive activities.
This alert follows previous warnings from the US government about China-based state-sponsored cyber actors exploiting network vulnerabilities to target public and private sector organizations since at least 2020. Google-owned Mandiant also reported on Chinese state-sponsored threat actors deploying custom malware on vulnerable Fortinet and SonicWall devices.
Mandiant emphasized that “advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support [endpoint detection and response] solutions.”
{{user}} {{datetime}}
{{text}}