US, UK warn of hackers exploiting Cisco routers

US, UK warn of hackers exploiting Cisco routers

Cybersecurity and intelligence organizations in the United Kingdom and the United States have issued alerts on Russian nation-state actors APT28 using vulnerabilities in Cisco networking hardware that have since been fixed to conduct reconnaissance and launch malware against targets.

APT28, often referred to as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a government-sponsored hacker organization associated with the GRU, the General Staff’s Main Intelligence Directorate of Russia. This hacker gang is notorious for using zero-day exploits to carry out cyber espionage and has been linked to a variety of attacks on US and European targets.

The NSA, FBI, US Cybersecurity and Infrastructure Security Agency, and the UK National Cyber Security Centre (NCSC) together published an Report on 18th April that describes how the APT28 hackers have been using an outdated SNMP vulnerability on Cisco IOS routers to distribute a customized malware program called “Jaguar Tooth.”

“APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742,” the National Cyber Security Centre (NCSC) said.

CVE-2017-6742 (CVSS score: 8.8) is one of several remote code execution bugs related to the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE software that result from a buffer overflow condition.

“Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6). It includes functionality to collect device information, which it exfiltrates over TFTP, and enables unauthenticated backdoor access. It has been observed being deployed and executed via exploitation of the patched SNMP vulnerability CVE-2017-6742.” warns the NCSC advisory.

All Cisco admins are advice to upgrade their routers to the latest firmware to mitigate these attacks.



New Emerging ransomware: RORSCHACH




No Image - US, UK warn of hackers exploiting Cisco routers
May 21st, 2024

ISO 27002:2022

Copy link
Powered by Social Snap