Recently, the following agencies have published a joint advisory to warn of APT28, a Russian state-sponsored group that is found actively deploying the ‘Jaguar Tooth,’ a custom malware on Cisco IOS routers:-
- The UK National Cyber Security Centre (NCSC)
- The US National Security Agency (NSA)
- US Cybersecurity and Infrastructure Security Agency (CISA)
- US Federal Bureau of Investigation (FBI)
By exploiting the Unpatched vulnerabilities in Cisco routers, threat actors gain access to the target device without any authentication.
Here below, we have mentioned the other names of APT28:-
- Fancy Bear
- Strontium
- Pawn Storm
- Sednit Gang
- Sofacy
While cybersecurity analysts and experts have linked this state-sponsored hacking group to Russia’s General Staff Main Intelligence Directorate (GRU).
Custom malware
Jaguar Tooth targets the Cisco routers running outdated firmware by directly infecting their memory. The malware ‘Jaguar Tooth’ extracts data from the compromised router and enables unauthorized access by creating a backdoor.
APT28 exploited CVE-2017-6742, announced by Cisco on 29 June 2017, and patched software was available.
Hackers using ‘Jaguar Tooth’ are actively searching for vulnerable Cisco routers by scanning public routers for commonly used weak SNMP community strings like ‘public’ to plant the malware.
Like login credentials, SNMP community strings function as access codes that can extract SNMP data from a device.
After gaining access to the Cisco router, the attackers manipulate its memory and plant ‘Jaguar Tooth,’ a non-persistent and customized malware.
If you’re using Telnet or physically connecting to the device, you can get into existing local accounts without providing a password.
Recommendations
Here below, we have mentioned all the recommendations offered by the security experts:-
- To mitigate these attacks, Cisco administrators should update their router’s firmware to the latest version.
- Switch to NETCONF/RESTCONF from SNMP on the public routers for remote management.
- Publicly exposed routers should be configured with allow and deny lists if SNMP is required.
- Make sure to disable the SNMP v2 or Telnet on Cisco routers.
- Verify the integrity of the IOS image if a device is compromised so that all keys associated with the device can be revoked.
The vulnerable Cisco devices can still be exploited using the TTPs in this advisory. Cisco recommends that organizations follow the mitigation recommendations.
Copyright 2021 Associated Press. All rights reserved.
Source: https://cybersecuritynews.com/apt28-hackers-deploy-malware-on-cisco-routers/
