State-sponsored Russian Hackers Attack Cisco Routers
A state-sponsored Russian hacking group called ‘APT28’ (also known as ‘Fancy Bear’, ‘STRONTIUM’, ‘Sednit’, ‘Pawn Storm’ and ‘Sofacy’) has attacked Cisco IOS and IOS XE routers using their custom malware called ‘Jaguar Tooth’!
In a joint report from the NSA, CIA, CISA (Infrastructure Security Agency), and NCSC (UK National Cyber Security Centre) details regarding the exploitations of Cisco routers were announced and released to the public on the 18th of April, with confirmation that APT28 has been deploying their custom malware to create backdoors in networks across European and American government institutions as well as 250 Ukrainian victims in 2021. It is believed the hacking group is part of Russia’s intelligence group, specifically called “Staff Main Intelligence Directorate’s (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26165”.
According to the joint advisory, APT28 has been using a known exploit vulnerability that was patched by Cisco back in 2017 (CVE-2017-6742). The vulnerability is a remote code execution and once exploited by the threat actor, they patch the router memory to install the custom malware “Jaguar Tooth”. The malware installed can then grant the intruder access to local accounts without the need for a password when connecting to the Cisco router network. At the same time in the background, Jaguar Tooth creates a new process called “Service Policy Lock” that collects data from the ‘command prompt’ of connected' devices using TFTP (Trivial File Transfer Protocol).
Data exfiltrated include the commands:
show running-config
show version
show ip interface brief
show arp
show cdp neighbors
show start
show ip route
Director of threat intelligence at Cisco Talos, Matt Olney, said in a campaign “…. a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure that we have observed and have seen corroborated by numerous reports issued by various intelligence organisations indicating state-sponsored actors are targeting routers and firewalls globally."
Your Security is our Priority
Your friendly Support Team
Speak to us about all your computer needs
This is Part of our Cyber Security awareness educational campaign. Through this training, you will learn awareness and key principles, and best practices to protect yourself, your organisation, and the public from cyber attackers. You will also be equipped with the knowledge to identify potential threats and take action before any damage can occur.