Skip to content

Description:

The National Cyber Security Centre (NCSC), alongside the US National Security Agency, has released a joint advisory detailing the tactics and techniques used by a Russian hacking group known as APT28, which is known to be run by the Russian Government – specifically the Russian General Staff Main Intelligence Directorate (GRU). The advisory comes alongside an alert from the NCSC warning of a heightened threat of state-aligned groups attacking western critical national infrastructure. Cisco has also published a blog on the vulnerabilities.

Since 2021, APT28 has exploited Cisco routers that accept Simple Network Management Protocol (SNMP) community strings, which allow for remote access to a router and are similar to a user ID or password. APT28 used community strings that were default or weak to gain access to router information and enumerate router interfaces. Using SNMP, they found routers vulnerable to CVE-2017-6742, allowing an authenticated attacker to execute code remotely.

By exploiting the vulnerable routers, APT28 has deployed malware known as Jaguar Tooth, which allows attackers to collect information on the targeted device, discover other devices on the network, and provide unauthenticated access with a backdoor.

Despite Cisco patching the vulnerability over six years ago, the NCSC reports that APT28 could still use it to access a small number of routers “in Europe, US government institutions and approximately 250 Ukrainian victims”.

Preventions

If your organisation uses Cisco routers, ensure the latest software version is installed. If updating is not feasible, you can protect against potential attacks by limiting SNMP access to trusted users, disabling the default SNMP community string, and utilising robust and secure methods for accessing your routers.

The NCSC also recommends the following:

  • Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorised users from accessing your router.
  • Enforce a strong password policy. Do not reuse the same password for multiple devices. Each device should have a unique password. Avoid legacy password-based authentication and implement two-factor authentication based on a public-private key.
  • Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3.
  • Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question
  • If you suspect your router has been compromised:
    • Follow Cisco’s advice for verifying the Cisco IOS image.
    • Revoke all keys associated with that router. When replacing the router configuration, create new keys rather than pasting from the old configuration.
    • Replace the ROMMON and Cisco IOS images with an image sourced directly from the Cisco website if third-party and internal repositories have been compromised.

Related Links: