Government agencies in the United States and United Kingdom have issued a joint cybersecurity advisory to warn organizations about attacks in which a Russian threat group has exploited an old vulnerability to hack Cisco routers.
The threat actor in question is APT28 (aka Fancy Bear, Strontium, Pawn Storm, Sednit Gang and Sofacy), which has officially been linked by the US and UK to a Russian military intelligence unit.
The APT28 attacks detailed this week targeted Cisco routers in the United States, Ukraine and other European countries in 2021. However, the exploited vulnerabilities still pose a significant risk, with Cisco saying that it’s “deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure”.
An advisory released on Tuesday by the UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA focuses on exploitation of CVE-2017-6742. Cisco informed customers about this and other similar vulnerabilities in 2017, when it made available patches and mitigations.
Cisco has warned customers about in-the-wild exploitation since 2018, but the company updated its original advisory this week to clarify that CVE-2017-6742 and seven other vulnerabilities patched in 2017 have been exploited.
The flaws impact the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, and they allow a remote, authenticated attacker to execute arbitrary code on the targeted device by sending specially crafted SNMP packets.
SNMP allows network administrators to remotely monitor and configure devices, but it can also be abused by hackers, particularly if default or easy-to-guess SNMP community strings are used.
According to the US and UK agencies, in some of the attacks aimed at unpatched Cisco routers, APT28 used SNMP exploits to deploy malware that allowed the attackers to obtain additional device information and enable backdoor access to the system.
One piece of malware used to target Cisco routers via CVE-2017-6742 has been named Jaguar Tooth, and a report detailing the threat has been published by the NCSC. The malware is non-persistent, which means it cannot survive a reboot of the compromised device.
In a blog post published on Tuesday, Cisco reported seeing various activities conducted by threat actors on hacked infrastructure devices. The list includes installing malware, hijacking DNS traffic, modifying device configurations to gain further access, modifying memory to reintroduce patched vulnerabilities, capturing traffic, and using devices for attack delivery or command and control (C&C) purposes.
The installation of malware on a device, Cisco said, allows an attacker to make changes that prevent malicious traffic from being blocked, provides backdoor access, can cause disruption by disabling the device, and enables traffic redirection.
According to Cisco, even if a device is unpatched, applying best practices such as using a well-selected SNMP community string can prevent attacks.
In addition, the networking giant pointed out that recently leaked files describing Russia’s cyber capabilities suggest that attacks are not limited to its own products, with hackers being able to target switches and routers made by nearly 20 manufacturers.
Cisco also noted that network equipment is not targeted only by Russian hackers, but by Chinese state-sponsored threat actors as well.
“Route/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility. They are the perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network,” Cisco said.
Cisco has also published a separate blog post providing resources for hardening devices, detecting attacks, and performing forensic investigations.
Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks
Related: Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
