US and UK agencies warn of Russia-linked APT28 exploiting Cisco router flaws

UK and US agencies are warning of Russia-linked APT28 group exploiting vulnerabilities in Cisco networking equipment.

Russia-linked APT28 group accesses unpatched Cisco routers to deploy malware exploiting the not patched CVE-2017-6742 vulnerability (CVSS score: 8.8), states a joint report published by the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI).

The joint advisory provides detailed info on tactics, techniques, and procedures (TTPs) associated with APT28’s attacks conducted in 2021 that exploited the flaw in Cisco routers.

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

According to the joint report, APT28 exploited the known vulnerability to carry out reconnaissance and reploy malware on unpatched Cisco routers.

The Russia-linked APT28 conducted the attacks in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims.

“APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.” reads the joint advisory. “In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide.”

The SNMP protocol allows network administrators to monitor and configure network devices remotely, but the cyberspies abused it to obtain sensitive network information and, then target vulnerable devices to breach into the network.

“A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.” continues the advisory. “Weak SNMP community strings, including the default “public,” allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001] The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.”

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 is affected by multiple vulnerabilities that can be exploited by an authenticated, remote attacker to execute code on an affected system or cause vulnerable devices to reload. An attacker can exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

For some of the targeted devices, threat actors abused an SNMP exploit to deploy the Jaguar Tooth Malware. Once the malware has obtained further device information, it is exfiltrated over trivial file transfer protocol (TFTP), and set up unauthenticated access via a backdoor.

“The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590].” continues the report.

The agencies recommend updating to the latest firmware and switching from SNMP to NETCONF or RESTCONF for network management.

“This campaign, dubbed “Jaguar Tooth,” is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software.” reads an advisory published by Cisco Talos. “In other incidents, we have observed well-positioned adversaries with preexisting access to internal environments targeting TACACS+/RADIUS servers to obtain credentials. This gives them the benefit of understanding the controls enforced by the credential server, as well as allowing their traffic to look “normal” by using jump servers and employing other techniques that a typical network administrator would use.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)