APT28 Hackers Deploy Malware on Cisco Routers Via Unpatched Vulnerabilities

Recently, the following agencies have published a joint advisory to warn of APT28, a Russian state-sponsored group that is found actively deploying the ‘Jaguar Tooth,’ a custom malware on Cisco IOS routers:-

• The UK National Cyber Security Centre (NCSC)
• The US National Security Agency (NSA)
• US Cybersecurity and Infrastructure Security Agency (CISA)
• US Federal Bureau of Investigation (FBI)

By exploiting the Unpatched vulnerabilities in Cisco routers, threat actors gain access to the target device without any authentication.

Here below, we have mentioned the other names of APT28:-

• Fancy Bear
• Strontium
• Pawn Storm
• Sednit Gang
• Sofacy

While cybersecurity analysts and experts have linked this state-sponsored hacking group to Russia’s General Staff Main Intelligence Directorate (GRU).

Custom malware

Jaguar Tooth targets the Cisco routers running outdated firmware by directly infecting their memory. The malware ‘Jaguar Tooth’ extracts data from the compromised router and enables unauthorized access by creating a backdoor.

APT28 exploited CVE-2017-6742, announced by Cisco on 29 June 2017, and patched software was available. 

Hackers using ‘Jaguar Tooth’ are actively searching for vulnerable Cisco routers by scanning public routers for commonly used weak SNMP community strings like ‘public’ to plant the malware.

Like login credentials, SNMP community strings function as access codes that can extract SNMP data from a device.

After gaining access to the Cisco router, the attackers manipulate its memory and plant ‘Jaguar Tooth,’ a non-persistent and customized malware.

If you’re using Telnet or physically connecting to the device, you can get into existing local accounts without providing a password.

Recommendations

Here below, we have mentioned all the recommendations offered by the security experts:-

• To mitigate these attacks, Cisco administrators should update their router’s firmware to the latest version.
• Switch to NETCONF/RESTCONF from SNMP on the public routers for remote management.
• Publicly exposed routers should be configured with allow and deny lists if SNMP is required.
• Make sure to disable the SNMP v2 or Telnet on Cisco routers.
• Verify the integrity of the IOS image if a device is compromised so that all keys associated with the device can be revoked.

The vulnerable Cisco devices can still be exploited using the TTPs in this advisory. Cisco recommends that organizations follow the mitigation recommendations.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus

Also Read

NCSC Releases new Nmap Scripts to Find Unpatched Vulnerabilities

Cisco IOS XR Software Flaw Let remote attacker Access The Redis

Thousands of Unpatched Citrix Servers Vulnerable to Critical Flaws

New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware

NetSupport RAT Uses Social Engineering Toolkits to Deploy Malware on Victim’s System