Security
Headlines
HeadlinesLatestCVEs

Headline

Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov't Agencies

The nation-stage threat group deployed custom malware on archaic versions of Cisco’s router operating system. Experts warn that such attacks targeting network infrastructure are on the rise.

DARKReading
#vulnerability#ios#cisco#intel#backdoor#auth

As recently as 2021, the notorious Russian APT28 was exploiting network routers running outdated versions of Cisco’s IOS and IOS XE operating system software, using them to deploy backdoors in networks across European and American government institutions.

APT28 — aka Fancy Bear, Strontium, Tsar Team, and Sofacy Group — is best known for its campaigns against Ukraine and the 2016 US elections. The UK National Cyber Security Centre (NCSC) has attributed this group to the 85th Special Service Centre, Military Intelligence Unit 26165, part of Russia’s General Staff Main Intelligence Directorate (GRU).

NCSC, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and FBI this week published a joint advisory outlining one of APT28’s less technically impressive but more economic maneuvers. According to their findings, the group used unpatched Cisco routers to access “a small number” of EU and US government institutions, on top of “approximately 250 Ukrainian victims.”

Though the campaign took place two years ago, Cisco Talos in a blog post expressed how “deeply concerned” it is “by an increase in the rate of high-sophistication attacks on network infrastructure” by nation-state actors.

“We certainly have seen an increase over the last several years — even over the last six to 12 months — in targeting this type of infrastructure,” says JJ Cummings, national security principal at Cisco Talos. “I think this is probably only the tip of the iceberg.”

Taking Advantage of Vulnerable Routers

On June 29, 2017, Cisco revealed a series of vulnerabilities in the Simple Network Management Protocol (SNMP), a communications protocol for network devices running IOS versions 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17.

A specially crafted SNMP packet, the company explained, could have allowed attackers to remotely execute code on affected devices, or cause them to reboot. The vulnerabilities were grouped under CVE-2017-6742 and assigned a “High” CVSS score of 8.8.

Though a patch for the SNMP vulnerabilities was released all those years ago, by 2021 APT28 was still exploiting Cisco routers to access US, EU, and primarily Ukrainian government networks.

In the same way administrators use SNMP to remotely monitor and configure network devices, APT28 used it to remotely access devices and penetrate networks.

“A number of software tools can scan the entire network using SNMP,” the advisory explained, “meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.”

In particular, APT28 took advantage of weak passwords — “community strings,” in Cisco parlance — such as the default public string in order to crack routers and, in some cases, deploy their “Jaguar Tooth” malware. Jaguar Tooth was specifically designed to exploit CVE-2017-6742, stealing device information and planting a backdoor for persistent access.

Thousands of Routers Are Exposed Online

A remarkable number of enterprise Internet routers in operation today are publicly exposed on the open Internet. And they’re not only exposed — they’re vulnerable. For scale, consider this:

After a series of vulnerabilities were discovered in multiple Cisco Small Business Routers earlier this year, software company Censys scanned for any potentially vulnerable devices online. The search returned over 20,000 results, the vast majority of which are still equally exposed to this day.

And just as a software company can identify these devices, so can hackers." Usually, cybercriminals will be using tools like Shodan or Nmap to scan and look for exposed devices connected to the internet," explains James McQuiggan, security awareness advocate at KnowBe4. “Organizations may try the ‘security by obscurity’ model, hoping they’re not discovered running older legacy systems,” he says, but hackers who can find and so easily exploit these devices “have opened the electronic front door.”

Cisco regularly publishes information about new vulnerabilities and risks to IT infrastructure, such as this blog post published on April 18

Why Routers Go Unpatched

In IT environments, Cummings observes, there’s one main reason why routing devices remain unpatched for years at a time. “Think about what the primary mission of a network operations team is: to keep the network up and running, right?” A byproduct of this prioritization of reliability and availability, he says, could be that “if a device is not broken, maybe they’re not going to fix it.”

Further, updating can sometimes come at a cost — albeit temporary — for operations. “We’ve seen in a couple of cases that, while the process to upgrade isn’t necessarily difficult or arduous, it’s also not always without risk for network availability.” If availability is the primary goal, “if they’re incentivized not to impact that, anything that gets in the way is something that they’re going to shy away from.”

Updating IOS and IOS XE is necessary for addressing CVE-2017-6742, but in cases where doing so is tricky, there are other simple changes IT administrators can make to harden against similar infrastructure breaches. “If updates are not possible,” McQuiggan says, “network monitoring — even if it’s by a third-party managed security service — can alert of intrusions and possible unauthorized logins to external-facing networking equipment.”

In its blog post, Cisco emphasized more than anything the need to restrict infrastructure to trusted users. “Designed to prevent unauthorized direct communication to network devices, infrastructure access control lists (ACLs) are one of the most critical security controls that can be implemented in networks,” they wrote. “Exploitation of these vulnerabilities is best prevented by restricting access to trusted administrators and IP addresses.”

Related news

U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage

U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets. The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims. The

State-sponsored campaigns target global network infrastructure

This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

CVE-2017-6744: Cisco Security Advisory: SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP - Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and obt...

DARKReading: Latest News

Cross-Site Scripting Is 2024's Most Dangerous Software Weakness