Russian APT28 Exploits Old Vulnerability to Target Cisco Routers

April 19, 2023

US and UK government agencies have issued a joint cybersecurity advisory warning organizations about attacks in which Russian threat group APT28 has exploited an old vulnerability to hack Cisco routers. The threat actor, also known as Fancy Bear, Strontium, Pawn Storm, Sednit Gang, and Sofacy, has officially been linked by the US and UK to a Russian military intelligence unit. The APT28 attacks detailed this week targeted Cisco routers in the United States, Ukraine, and other European countries in 2021. However, the exploited vulnerabilities still pose a significant risk, with Cisco saying that it’s “deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure”.

The advisory released on Tuesday by the UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA focuses on exploitation of CVE-2017-6742. Cisco informed customers about this and other similar vulnerabilities in 2017, when it made available patches and mitigations. Cisco has warned customers about in-the-wild exploitation since 2018, but the company updated its original advisory this week to clarify that CVE-2017-6742 and seven other vulnerabilities patched in 2017 have been exploited.

The flaws impact the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, and they allow a remote, authenticated attacker to execute arbitrary code on the targeted device by sending specially crafted SNMP packets. SNMP allows network administrators to remotely monitor and configure devices, but it can also be abused by hackers, particularly if default or easy-to-guess SNMP community strings are used.

According to the US and UK agencies, in some of the attacks aimed at unpatched Cisco routers, APT28 used SNMP exploits to deploy malware that allowed the attackers to obtain additional device information and enable backdoor access to the system. One piece of malware used to target Cisco routers via CVE-2017-6742 has been named Jaguar Tooth, and a report detailing the threat has been published by the NCSC. The malware is non-persistent, which means it cannot survive a reboot of the compromised device.

In a blog post published on Tuesday, Cisco reported seeing various activities conducted by threat actors on hacked infrastructure devices. The list includes installing malware, hijacking DNS traffic, modifying device configurations to gain further access, modifying memory to reintroduce patched vulnerabilities, capturing traffic, and using devices for attack delivery or command and control (C&C) purposes. The installation of malware on a device, Cisco said, allows an attacker to make changes that prevent malicious traffic from being blocked, provides backdoor access, can cause disruption by disabling the device, and enables traffic redirection.

According to Cisco, even if a device is unpatched, applying best practices such as using a well-selected SNMP community string can prevent attacks. In addition, the networking giant pointed out that recently leaked files describing Russia’s cyber capabilities suggest that attacks are not limited to its own products, with hackers being able to target switches and routers made by nearly 20 manufacturers. Cisco also noted that network equipment is not targeted only by Russian hackers, but by Chinese state-sponsored threat actors as well.

Cisco has also published a separate blog post providing resources for hardening devices, detecting attacks, and performing forensic investigations.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.