Security
Headlines
HeadlinesLatestCVEs

Headline

U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage

U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets. The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims. The

The Hacker News
#vulnerability#web#ios#google#cisco#intel#backdoor#rce#buffer_overflow#auth#The Hacker News

Network Security / Cyber Espionage

U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets.

The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims.

The activity has been attributed to a threat actor tracked as APT28, which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU).

“APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742,” the National Cyber Security Centre (NCSC) said.

CVE-2017-6742 (CVSS score: 8.8) is part of a set of remote code execution flaws that stem from a buffer overflow condition in the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE Software.

In the attacks observed by the agencies, the threat actor weaponized the vulnerability to deploy a non-persistent malware dubbed Jaguar Tooth on Cisco routers that’s capable of gathering device information and enabling unauthenticated backdoor access.

While the issues were patched in June 2017, they have since come under public exploitation as of January 11, 2018, underscoring the need for robust patch management practices to limit the attack surface.

Besides updating to the latest firmware to mitigate potential threats, the company is also recommending that users switch from SNMP to NETCONF or RESTCONF for network management.

Cisco Talos, in a coordinated advisory, said the attacks are part of a broader campaign against aging networking appliances and software from a variety of vendors to “advance espionage objectives or pre-position for future destructive activity.”

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

This includes the installation of malicious software into an infrastructure device, attempts to surveil network traffic, and attacks mounted by “adversaries with preexisting access to internal environments targeting TACACS+/RADIUS servers to obtain credentials.”

The alert comes months after the U.S. government sounded the alarm about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020.

Then earlier this year, Google-owned Mandiant highlighted efforts undertaken by Chinese state-sponsored threat actors to deploy bespoke malware on vulnerable Fortinet and SonicWall devices.

“Advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support [endpoint detection and response] solutions,” Mandiant said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov't Agencies

The nation-stage threat group deployed custom malware on archaic versions of Cisco's router operating system. Experts warn that such attacks targeting network infrastructure are on the rise.

State-sponsored campaigns target global network infrastructure

This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

CVE-2017-6744: Cisco Security Advisory: SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP - Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and obt...