Cyber Security

APT28 Hackers Deploy Malware on Cisco Routers Via Unpatched Vulnerabilities

Recently, the following agencies have published a joint advisory to warn of APT28, a Russian state-sponsored group that is found actively deploying the ‘Jaguar Tooth,’ a custom malware on Cisco IOS routers:-

  • The UK National Cyber Security Centre (NCSC)
  • The US National Security Agency (NSA)
  • US Cybersecurity and Infrastructure Security Agency (CISA)
  • US Federal Bureau of Investigation (FBI)

By exploiting the Unpatched vulnerabilities in Cisco routers, threat actors gain access to the target device without any authentication.

Here below, we have mentioned the other names of APT28:-

  • Fancy Bear
  • Strontium
  • Pawn Storm
  • Sednit Gang
  • Sofacy

While cybersecurity analysts and experts have linked this state-sponsored hacking group to Russia’s General Staff Main Intelligence Directorate (GRU).

Custom malware

Jaguar Tooth targets the Cisco routers running outdated firmware by directly infecting their memory. The malware ‘Jaguar Tooth’ extracts data from the compromised router and enables unauthorized access by creating a backdoor.

APT28 exploited CVE-2017-6742, announced by Cisco on 29 June 2017, and patched software was available. 

Hackers using ‘Jaguar Tooth’ are actively searching for vulnerable Cisco routers by scanning public routers for commonly used weak SNMP community strings like ‘public’ to plant the malware.

Like login credentials, SNMP community strings function as access codes that can extract SNMP data from a device.

After gaining access to the Cisco router, the attackers manipulate its memory and plant ‘Jaguar Tooth,’ a non-persistent and customized malware.

If you’re using Telnet or physically connecting to the device, you can get into existing local accounts without providing a password.

Recommendations

Here below, we have mentioned all the recommendations offered by the security experts:-

  • To mitigate these attacks, Cisco administrators should update their router’s firmware to the latest version.
  • Switch to NETCONF/RESTCONF from SNMP on the public routers for remote management.
  • Publicly exposed routers should be configured with allow and deny lists if SNMP is required.
  • Make sure to disable the SNMP v2 or Telnet on Cisco routers.
  • Verify the integrity of the IOS image if a device is compromised so that all keys associated with the device can be revoked.

The vulnerable Cisco devices can still be exploited using the TTPs in this advisory. Cisco recommends that organizations follow the mitigation recommendations.

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/apt28-hackers-deploy-malware-on-cisco-routers/

Click to comment

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version