State-sponsored hacking group APT28, also known as Fancy Bear, Sednit, STRONTIUM, and Sofacy, has been deploying custom malware called ‘Jaguar Tooth’ on Cisco IOS routers to allow unauthenticated access to the device, according to a joint report from the UK National Cyber Security Centre, US Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI.
The report explains that the group exploits an old SNMP flaw to inject the malware directly into the memory of Cisco routers running older firmware versions. Once installed, Jaguar Tooth exfiltrates information from the router and provides unauthenticated backdoor access to the device. The malware is non-persistent and targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6).
The threat actors scan for public Cisco routers using weak SNMP community strings, such as the commonly used ‘public’ string, and then exploit the CVE-2017-6742 SNMP vulnerability, fixed in June 2017. This vulnerability is an unauthenticated, remote code execution flaw with publicly available exploit code.
Once the threat actors access the Cisco router, they patch its memory to install the custom, non-persistent Jaguar Tooth malware.
The report advises all Cisco admins to upgrade their routers to the latest firmware to mitigate these attacks. Cisco also recommends switching from SNMP to NETCONF/RESTCONF on public routers for remote management, as it offers more robust security and functionality.
If SNMP is required, admins should configure allow and deny lists to restrict who can access the SNMP interface on publicly exposed routers, and the community string should be changed to a sufficiently strong, random string. CISA also recommends disabling SNMP v2 or Telnet on Cisco routers.
The report highlights a growing trend among state-sponsored threat actors to create custom malware for networking devices to conduct cyber espionage and surveillance.
Edge network devices are becoming an increasingly popular target for threat actors, as they do not support Endpoint Detection and Response (EDR) solutions and sit on the edge with almost all corporate network traffic flowing through them, making them attractive targets to surveil network traffic and gather credentials for further access into a network.
