Since 2021, Russia’s APT28 hackers – also known as Fancy Bear and other names – have been recruiting older, unpatched Cisco routers into a malware operation.
In a joint advisory, the UK National Cyber Security Centre (NCSC), and the US' National Security Agency, Cybersecurity and Infrastructure Security Agency and the FBI have laid out the APT28 exploitation tactics.
The vulnerability exploited by the attackers was CVE-2017-6742, a bug in the Simple Network Management Protocol (SNMP) implementation shipping with the then-current version of Cisco’s IOS XE software.
Once a vulnerable router was compromised, SNMP also let the attackers obtain sensitive information about the network behind the router.
“A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks”, the UK advisory said.
“Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces.”
The attackers also reconfigured compromised units to use the SNMP v2 protocol, which doesn’t support encryption.
The attackers then deployed to the router malware called Jaguar Tooth, which the agencies said collects device information, exfiltrates data using the Trivial File Transfer Protocol, and enables unauthenticated backdoor access.
Once in control of the router, attackers were also able to use the compromised device's command line interface to discover other devices on the network, using the Address Resolution Protocol (ARP).
Cisco’s 2017 advisory did not nominate hardware devices subject to the vulnerability, but rather listed nine vulnerable SNMP Management Information Bases (MIBs), and told users disabling those MIBs would protect the routers.
