Russian APT 28 Havoc on Cisco Routers
National security agencies from U.S. and U.K. published an Advisory on the TTPs associated with APT28’s exploitation of Cisco routers using CVE-2017-6742. APT28 is almost certainly a Russian source and linked to intelligence unit 26165 and also known as Fancy Bear, STRONTIUM
The advisory shows that APT28 cyber hackers masqueraded Simple Network Management Protocol (SNMP) to exploit the vulnerability and access vulnerable Cisco routers since 2021 and the affected targets had included U.S. government institutions, approximately 250 Ukrainian victims, and a small number based in Europe.
SNMP is designed to allow network administrators to check and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network due to poor configuration practices
Due to the weak SNMP community strings, including the default ‘public,’ allowed APT28 to gain access to router information and enumerated router interfaces. The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent in an unencrypted format.
The Cisco vulnerability was first found during 2017, and patches was made available, and advisories also supplied workarounds, such as limiting access to SNMP from trusted hosts only or disabling several SNMP Management Information bases (MIBs).
The current advisory states on the affected devices, APT28 actors used an SNMP exploit to deploy Jaguar Tooth. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP) and enabled unauthenticated access via a backdoor. It also includes the discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses.
- Organizations need to keep software’s up to date.
- Not to use SNMP if they do not have to configure or manage devices remotely to prevent unauthorized users from accessing the router.
- If SNMP is used, allow, and deny lists must be in place for SNMP messages to prevent unauthorized users from accessing the router.
- Disable legacy and unencrypted management protocols, such as SNMP v2 and Telnet. Use VPN if not possible to disable
- Enforce a strong password policy and avoid the usage of the same password for multiple devices.
The rise in attacks by nation-state hackers has led to the growing need for organizations to develop comprehensive security policies, incident response plans, and stay abreast of the latest attack and threat intelligence. As new TTP’s are being adopted by the threat actors, it’s important to enrich the resilience.