Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Govt Agencies

  /     /     /  
Publicated : 23/11/2024   Category : security


Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Govt Agencies


The nation-stage threat group deployed custom malware on archaic versions of Ciscos router operating system. Experts warn that such attacks targeting network infrastructure are on the rise.



As recently as 2021, the notorious Russian APT28 was exploiting network routers running outdated versions of Ciscos IOS and IOS XE operating system software, using them to deploy backdoors in networks across European and American government institutions.
APT28 — aka Fancy Bear, Strontium, Tsar Team, and Sofacy Group — is best known for its
campaigns against Ukraine
and
the 2016 US elections
. The UK National Cyber Security Centre (NCSC) has attributed this group to the 85th Special Service Centre, Military Intelligence Unit 26165, part of Russias General Staff Main Intelligence Directorate (GRU).
NCSC, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and FBI this week
published a joint advisory
outlining one of APT28s less technically impressive but more economic maneuvers. According to their findings, the group used unpatched Cisco routers to access a small number of EU and US government institutions, on top of approximately 250 Ukrainian victims.
Though the campaign took place two years ago,
Cisco Talos in a blog post
expressed how deeply concerned it is by an increase in the rate of high-sophistication attacks on network infrastructure by nation-state actors.
We certainly have seen an increase over the last several years — even over the last six to 12 months — in targeting this type of infrastructure, says JJ Cummings, national security principal at Cisco Talos. I think this is probably only the tip of the iceberg.
On June 29, 2017,
Cisco revealed a series of vulnerabilities
in the Simple Network Management Protocol (SNMP), a communications protocol for network devices running IOS versions 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17.
A specially crafted SNMP packet, the company explained, could have allowed attackers to remotely execute code on affected devices, or cause them to reboot. The vulnerabilities were grouped under
CVE-2017-6742
and assigned a High CVSS score of 8.8.
Though a patch for the SNMP vulnerabilities was released all those years ago, by 2021 APT28 was still exploiting Cisco routers to access US, EU, and primarily Ukrainian government networks.
In the same way administrators use SNMP to remotely monitor and configure network devices, APT28 used it to remotely access devices and penetrate networks.
A number of software tools can scan the entire network using SNMP, the advisory explained, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.
In particular, APT28 took advantage of weak passwords — community strings, in Cisco parlance — such as the default public string in order to crack routers and, in some cases, deploy their
Jaguar Tooth malware
. Jaguar Tooth was specifically designed to exploit CVE-2017-6742, stealing device information and planting a backdoor for persistent access.
A remarkable number of
enterprise Internet routers
in operation today are publicly exposed on the open Internet. And theyre not only exposed — theyre vulnerable. For scale, consider this:
After a series of vulnerabilities were discovered in
multiple Cisco Small Business Routers
earlier this year, software company Censys scanned for any potentially vulnerable devices online. The search returned over 20,000 results, the vast majority of which are
still equally exposed to this day
.
And just as a software company can identify these devices, so can hackers. Usually, cybercriminals will be using tools like Shodan or Nmap to scan and look for exposed devices connected to the internet, explains James McQuiggan, security awareness advocate at KnowBe4. Organizations may try the security by obscurity model, hoping theyre not discovered running older legacy systems, he says, but hackers who can find and so easily exploit these devices have opened the electronic front door.
Cisco regularly publishes information about new vulnerabilities and risks to IT infrastructure, such as
this blog post published on April 18
In IT environments, Cummings observes, theres one main reason why routing devices remain unpatched for years at a time. Think about what the primary mission of a network operations team is: to keep the network up and running, right? A byproduct of this prioritization of reliability and availability, he says, could be that if a device is not broken, maybe theyre not going to fix it.
Further, updating can sometimes come at a cost — albeit temporary — for operations. Weve seen in a couple of cases that, while the process to upgrade isnt necessarily difficult or arduous, its also not always without risk for network availability. If availability is the primary goal, if theyre incentivized not to impact that, anything that gets in the way is something that theyre going to shy away from.
Updating IOS and IOS XE is necessary for addressing CVE-2017-6742, but in cases where doing so is tricky, there are other simple changes IT administrators can make to harden against similar infrastructure breaches. If updates are not possible, McQuiggan says, network monitoring — even if its by a third-party managed security service — can alert of intrusions and possible unauthorized logins to external-facing networking equipment.
In its blog post, Cisco emphasized more than anything the need to restrict infrastructure to trusted users. Designed to prevent unauthorized direct communication to network devices, infrastructure access control lists (ACLs) are one of the most critical security controls that can be implemented in networks, they wrote. Exploitation of these vulnerabilities is best prevented by restricting access to trusted administrators and IP addresses.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Govt Agencies