The UK National Computer Security Center (NCSC-UK), the NSA, CISA, and the FBI have jointly published a report revealing that the APT28 group, also known as Strontium, Fancy Bear, Sednit, and Sofacy, used vulnerable Cisco routers to deploy special malicious software on infected devices. The report, which is available here, shows that in 2021, the group used the infrastructure to simulate access to the Simple Network Management Protocol (SNMP) to Cisco routers globally. As a result, the campaign affected routers located in various European and US government agencies, as well as about 250 users.
The hackers took advantage of the vulnerability in CVE-2017-6742 to deploy a malicious program known as “Jaguar Tooth,” which extracts information from the router and provides an unauthorized backdoor access to the device. Jaguar Tooth allows attackers to gain unauthorized access to local accounts when connecting via Telnet or a physical session. The malware also creates a new process called “Service Policy Lock,” which collects weekend following CLI commands and transmits them to the TFTP protocol.
The ballot draws attention to the growing trend where government hackers create specific malware for network devices for cybersecurity and monitoring purposes. Since corporate network traffic passes through vulnerable devices, routers are now a profitable target for attackers who can exploit accounting data for deeper access to the network.
Therefore, Cisco is calling on administrators to correct their dodged devices as soon as possible. Experts also recommend switching from SNMP to Netconf/Restconf for remote administration, which will increase protection and functionality. Additionally, CISA advises turning off SNMP V2 or Telnet on Cisco routers, as these protocols could allow attackers to steal accounting data from unencrypted traffic.
This report serves as a reminder that network devices are increasingly becoming a favorite target of hackers. As such, it is imperative that individuals and organizations take proactive steps to secure their systems and networks against these threats.