Wednesday, January 15, 2025
Homecyber securityRussian APT28 Group Exploiting Vulnerabilities in Cisco Routers

Russian APT28 Group Exploiting Vulnerabilities in Cisco Routers

Published on

A recent report from CISA (US Cybersecurity and Infrastructure Security Agency)  revealed that the APT 28 group was responsible for exploiting Cisco routers with poor maintenance using CVE-2017-6742

CVE-2017-6742 Attack:  Reconnaissance with RCE in Cisco

SNMP (Simple Network Management Protocol) is a networking protocol used by network administrators for monitoring and configuring devices remotely.

From an attacker’s perspective, this protocol can extract sensitive information. If the protocol on a device is vulnerable, it can be used to penetrate the network.

However, CVE-2017-6742 is a remote code execution bug on the SNMP protocol of Cisco routers.

As of June 2017, Cisco released patches along with an advisory that had information on workarounds like access limitation to trusted hosts or disabling SNMP management information.

Along with CISA, the NCSC (UK National Cyber Security Center), the NSA (US National Security Agency), and the Federal Bureau of Investigation (FBI) claims that APT 28 is operated by the General Staff Main Intelligence (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26155.

As per the report from CISA, APT28 had been using commercial code repositories and post-exploit frameworks for gaining access and deploying malware. 

The report states, “As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of Powershell Empire, in addition to Python versions of Empire.

The report also stated that the APT28 threat actor used this CVE-2017-6742 to exploit SNMP and deploy the malware they use to extract information via TFTP (Trivial File Transfer Protocol).

The malware was also used to enable unauthenticated access through a backdoor. The malware used by this group is Jaguar Tooth Malware.


APT 28 is known to be a highly skilled threat actor, as mentioned by the CISA. The group had names like Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy).

History of Activities by APT28

  • APT28 was responsible for a cyber attack on the German parliament in 2015, resulting in data theft and disruption of email accounts belonging to the German Members of Parliament and the vice-chancellor.
  • APT28 also attempted to attack the OPCW (Organisation for the Prohibition of Chemical Weapons) in 2018 to collapse the Chemical Weapon independent analysis by GRU.

Indicators of Compromise

There are multiple Indicators of Compromise for this attack on Cisco routers which can be found on the malware analysis page of Jaguar Tooth malware.

Tactics, Techniques, and Procedures:

TacticIDTechniqueProcedure
Initial AccessT1190Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved is available in the MITRE ATT&CK section of the Jaguar Tooth MAR.APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).
Initial AccessT1078.001Valid Accounts: Default Accounts.Actors accessed victim routers by using default community strings such as “public.”
ReconnaissanceT1590Gather Victim Network InformationAccess was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...