Go to listing page

APT28 Uses Vulnerability in Cisco Routers to Deploy Malware

APT28 Uses Vulnerability in Cisco Routers to Deploy Malware
The NCSC-U.K, the NSA, the CISA, and the FBI published a joint advisory delineating how the Russian hacker group APT28’s exploitation of Cisco routers in 2021. APT28 has been exploiting poorly maintained Cisco routers and deploying custom malware on unpatched devices.

Diving into details

APT28 employed infrastructure to impersonate Simple Network Management Protocol (SNMP) access on Cisco routers worldwide in 2021. This campaign impacted some routers located in Europe and U.S. government institutions, as well as roughly 250 individuals.
  • It exploited the CVE-2017-6742 bug to deploy custom malware known as Jaguar Tooth. After installation, the malware proceeds to extract information from the router and grants unauthorized backdoor access to the device.
  • This non-persistent malware allows the attackers to gain access to local accounts without the need for authentication when connecting via Telnet or a physical session. 
  • Furthermore, Jaguar Tooth generates a new process known as 'Service Policy Lock' that collects the output from specific Command Line Interface (CLI) commands and transfers it using Trivial File Transfer Protocol (TFTP).

Why this matters

The current advisory draws attention to an emerging pattern where state-sponsored threat actors are crafting custom malware for network devices to carry out cyberespionage and surveillance activities. 
  • As an example, in March, Chinese hackers were using custom malware to target vulnerable Fortinet devices in a string of attacks against government entities. 
  • Similarly, in the same month, Mandiant also reported on a suspected Chinese hacking campaign that leveraged custom malware to compromise exposed SonicWall devices.

The bottom line

As corporate network traffic flows through vulnerable devices, the latter becomes a lucrative target for threat actors to surveil network traffic and exfiltrate credentials for deeper access into a network. Therefore, it goes without saying, patch your vulnerable devices at the soonest. The CISA, moreover, advises disabling SNMP v2 or Telnet on Cisco routers, as these protocols could allow credentials to be stolen from unencrypted traffic.
Cyware Publisher

Publisher

Cyware