US and UK Warn Russian Hackers Exploiting Cisco Router Flaws for Espionage
The UK and US intelligence and cybersecurity agencies have it be warned Russian nation-state actor exploiting a now-patched vulnerability in Cisco’s network equipment for reconnaissance and spreading malware against the selected target.
That intrusionaccording to authorities, it took place in 2021 and targeted a small number of European entities, US government agencies, and around 250 Ukrainian victims.
The activity is associated with a threat actor tracked as APT28, which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Main Intelligence Directorate (GRU) of the Russian General Staff.
“APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742,” said the National CyberSecurity Center (NCSC).
CVE-2017-6742 (CVSS Score: 8.8) is part of a set of remote code execution flaws that stem from a buffer overflow condition in Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE software.
In the attacks the agency observed, threat actors weaponized vulnerabilities to deploy non-persistent malware dubbed Jaguar Tooth on Cisco routers that is capable of gathering device information and allowing unauthenticated backdoor access.
Although the issue was patched by Cisco in June 2017, it has been publicly exploited since January 11, 2018, underscoring the need for robust patch management practices to limit the attack surface.
Apart from updating to the latest firmware to mitigate potential threats, the company also recommends that users switch from SNMP to NETCONF or RESTCONF for network management.
Cisco Talos, in a coordinated advisory, said the attack was part of a wider campaign counter aging of network equipment and software from multiple vendors to “advance espionage purposes or pre-position for future destructive activity.”
This includes installation of malicious software onto infrastructure devices, attempts to monitor network traffic, and attacks mounted by “adversaries with pre-existing access to internal environments targeting TACACS+/RADIUS servers for credentials.”
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
“Route/switch devices are stable, rarely checked from a security perspective, often poorly patched and provide deep network visibility,” said Matt Olney, director of threat intelligence and prohibition at Cisco.
“They are the perfect target for an adversary who wants to be silent and have access to critical intelligence capabilities and a foothold in select networks. National intelligence agencies and state-sponsored actors around the world have targeted network infrastructure as targets for attack. primary preference.”
The warning comes months after the US government raised the alarm about a China-based nation-state hacking crew leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020.
Then earlier this year, Google’s Mandiant highlighted attempts by Chinese state-sponsored threat actors to spread bespoke malware on vulnerable Fortinet and SonicWall devices.
“Advanced cyber espionage threat actors leverage any available technology to survive and traverse the target environment, especially technologies that do not support solutions (endpoint detection and response),” Mandiant said.
