Government agencies in the United States and United Kingdom have issued a joint cybersecurity advisory to warn organizations about attacks in which a Russian threat group has exploited an old vulnerability to hack Cisco routers.
The threat actor in question is APT28 (aka Fancy Bear, Strontium, Pawn Storm, Sednit Gang and Sofacy), which has officially been linked by the US and UK to a Russian military intelligence unit.
The APT28 attacks detailed this week targeted Cisco routers in the United States, Ukraine and other European countries in 2021. However, the exploited vulnerabilities still pose a significant risk, with Cisco saying that it’s “deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure”.
An advisory released on Tuesday by the UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA focuses on exploitation of CVE-2017-6742. Cisco informed customers about this and other similar vulnerabilities in 2017, when it made available patches and mitigations.
Cisco has warned customers about in-the-wild exploitation since 2018, but the company updated its original advisory this week to clarify that CVE-2017-6742 and seven other vulnerabilities patched in 2017 have been exploited.
The flaws impact the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, and they allow a remote, authenticated attacker to execute arbitrary code on the targeted device by sending specially crafted SNMP packets.
SNMP allows network administrators to remotely monitor and configure devices, but it can also be abused by hackers, particularly if default or easy-to-guess SNMP community strings are used.
According to the US and UK agencies, in some of the attacks aimed at unpatched Cisco routers, APT28 used SNMP exploits to deploy malware that allowed the attackers to obtain additional device information and enable backdoor access to the system.
One piece of malware used to target Cisco routers via CVE-2017-6742 has been named Jaguar Tooth, and a report detailing the threat has been published by the NCSC. The malware is non-persistent, which means it cannot survive a reboot of the compromised device.
In a blog post published on Tuesday, Cisco reported seeing various activities conducted by threat actors on hacked infrastructure devices. The list includes installing malware, hijacking DNS traffic, modifying device configurations to gain further access, modifying memory to reintroduce patched vulnerabilities, capturing traffic, and using devices for attack delivery or command and control (C&C) purposes.
The installation of malware on a device, Cisco said, allows an attacker to make changes that prevent malicious traffic from being blocked, provides backdoor access, can cause disruption by disabling the device, and enables traffic redirection.
According to Cisco, even if a device is unpatched, applying best practices such as using a well-selected SNMP community string can prevent attacks.
In addition, the networking giant pointed out that recently leaked files describing Russia’s cyber capabilities suggest that attacks are not limited to its own products, with hackers being able to target switches and routers made by nearly 20 manufacturers.
Cisco also noted that network equipment is not targeted only by Russian hackers, but by Chinese state-sponsored threat actors as well.
“Route/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility. They are the perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network,” Cisco said.
Cisco has also published a separate blog post providing resources for hardening devices, detecting attacks, and performing forensic investigations.
Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks
Related: Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots