Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers

US and UK government agencies have issued a joint warning for Russian group APT28 targeting Cisco routers by exploiting an old vulnerability.

Cisco router hacked

Government agencies in the United States and United Kingdom have issued a joint cybersecurity advisory to warn organizations about attacks in which a Russian threat group has exploited an old vulnerability to hack Cisco routers.

The threat actor in question is APT28 (aka Fancy Bear, Strontium, Pawn Storm, Sednit Gang and Sofacy), which has officially been linked by the US and UK to a Russian military intelligence unit. 

The APT28 attacks detailed this week targeted Cisco routers in the United States, Ukraine and other European countries in 2021. However, the exploited vulnerabilities still pose a significant risk, with Cisco saying that it’s “deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure”.

An advisory released on Tuesday by the UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA focuses on exploitation of CVE-2017-6742. Cisco informed customers about this and other similar vulnerabilities in 2017, when it made available patches and mitigations.

Cisco has warned customers about in-the-wild exploitation since 2018, but the company updated its original advisory this week to clarify that CVE-2017-6742 and seven other vulnerabilities patched in 2017 have been exploited. 

The flaws impact the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, and they allow a remote, authenticated attacker to execute arbitrary code on the targeted device by sending specially crafted SNMP packets. 

SNMP allows network administrators to remotely monitor and configure devices, but it can also be abused by hackers, particularly if default or easy-to-guess SNMP community strings are used. 

Advertisement. Scroll to continue reading.

According to the US and UK agencies, in some of the attacks aimed at unpatched Cisco routers, APT28 used SNMP exploits to deploy malware that allowed the attackers to obtain additional device information and enable backdoor access to the system.

One piece of malware used to target Cisco routers via CVE-2017-6742 has been named Jaguar Tooth, and a report detailing the threat has been published by the NCSC. The malware is non-persistent, which means it cannot survive a reboot of the compromised device.

In a blog post published on Tuesday, Cisco reported seeing various activities conducted by threat actors on hacked infrastructure devices. The list includes installing malware, hijacking DNS traffic, modifying device configurations to gain further access, modifying memory to reintroduce patched vulnerabilities, capturing traffic, and using devices for attack delivery or command and control (C&C) purposes. 

The installation of malware on a device, Cisco said, allows an attacker to make changes that prevent malicious traffic from being blocked, provides backdoor access, can cause disruption by disabling the device, and enables traffic redirection.  

According to Cisco, even if a device is unpatched, applying best practices such as using a well-selected SNMP community string can prevent attacks. 

In addition, the networking giant pointed out that recently leaked files describing Russia’s cyber capabilities suggest that attacks are not limited to its own products, with hackers being able to target switches and routers made by nearly 20 manufacturers. 

Cisco also noted that network equipment is not targeted only by Russian hackers, but by Chinese state-sponsored threat actors as well. 

“Route/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility. They are the perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network,” Cisco said.

Cisco has also published a separate blog post providing resources for hardening devices, detecting attacks, and performing forensic investigations. 

Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks

Related: Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.