The U.S., Europe and Ukraine are reportedly targets in
this malware threat. Find out how to protect affected Cisco routers. Image: maciek905/Adobe Stock Danger actor APT28 is exploiting an old vulnerability in Cisco routers using Basic Network Management Procedure variations 1, 2c and 3 to target the U.S., Europe and Ukraine. This security danger is detailed in a recently published joint advisory from the U.K. National Cyber Security Centre, the National Security Firm, the Cybersecurity and Infrastructure Security Company, and the Federal Bureau of Investigation.
SEE: Keep your company’s devices protect with this Mobile phone security policy from TechRepublic Premium.
Dive to:
How is APT28 accessing Cisco routers?
The advisory states that in 2021, APT28 used malware to exploit an SNMP vulnerability, known as CVE-2017-6742, that was reported and patched on June 29, 2017, by Cisco. To effectively make use of that vulnerability, the enemy required to know the router’s SNMP neighborhood strings, which resemble passwords permitting access to the router’s data.
In addition to the joint advisory, the NCSC released a malware analysis report entitled Jaguar Tooth, which supplies information on the malware released by APT28 utilizing the SNMP vulnerability. The vulnerability is activated to write the Jaguar Tooth code into the memory of targeted Cisco Internetworking Operating System routers before being carried out.
According to the NCSC, Jaguar Tooth is made up of payloads and patches that offer unauthenticated backdoor gain access to, allowing the aggressor to visit to existing local accounts. It also creates a new procedure called Service Policy Lock that instantly collects information and exfiltrates it over the Trivial File Transfer Procedure. The gathered details consists of device details, running setup, firmware version, directory site listings, and network information such as Address Resolution Protocol tables, user interfaces and other linked routers (Figure A).
Figure A
Cisco IOS commands carried out by the hazard star via the Jaguar Tooth malware. Image: NCSC
Who is APT28?
APT28 is a risk actor that has been active since 2004; it also goes by the aliases Sofacy, Fancy Bear, Pawn Storm, Sednit, Tsar Team and Strontium. APT28 has been described as the military system 26165 of Russia’s Military Intelligence Company, previously called GRU. A few of its members were charged by the U.S. Department of Justice in 2018 for “international hacking and related influence and disinformation operations,” according to a press release from the Justice Department.
The group is described in the Mueller unique counsel examination as “a cyber system committed to targeting military, political, governmental, and non-governmental organizations outside of Russia, consisting of the United States.” And APT28 has departments with different specialties, including a malware development department and one carrying out large-scale spear phishing projects.
Who has APT28 targeted with this vulnerability?
APT28 targeted Cisco routers in Europe, U.S. government institutions and roughly 250 Ukrainian victims, according to the report.
It is extremely possible that some business still utilize Cisco routers that are not covered and even in their end-of-life period. Such variations of Cisco routers are susceptible to this make use of.
How to alleviate this Cisco router vulnerability
In an article about state-sponsored attacks targeting worldwide network facilities, Cisco Talos reminds individuals that thoroughly chosen SNMP neighborhood strings will obstruct this attack, because the exploitation of CVE-2017-6742 needs the enemy to know the neighborhood string.
Cybersecurity company Talos, coming from Cisco Systems Inc, advises individuals that even well-chosen strings are sent in clear text if not using SNMP v3 and could be obstructed by a danger actor as SNMP older variations v1 and v2c do not have appropriate file encryption and authentication, while v3 relies on SSH and HTTPS protocols. It is, therefore, highly recommended to deploy SNMP v3 and secure all monitoring and configuration traffic and select complex community strings.
Other security avoidance actions to take are likewise advised:
- Modify default qualifications on routers to special and strong ones that are only understood by administrators.
- Disable SNMP if remote management of routers isn’t required at your business in order to minimize the attack surface.
- Use modern-day– not end-of-life– software and hardware and keep routers as much as date and covered.
- Configuration or habits modifications in routers ought to be kept an eye on by tools based on TACACS+ and Syslog protocols.
- Execute strong policies using role-based access control. Only enabled workers need to be able to access the administration or configuration of these devices.
Disclosure: I work for Trend Micro, but the views revealed in this post are mine.