A recent report from CISA (US Cybersecurity and Infrastructure Security Agency) revealed that the APT 28 group was responsible for exploiting Cisco routers with poor maintenance using CVE-2017-6742.
SNMP (Simple Network Management Protocol) is a networking protocol used by network administrators for monitoring and configuring devices remotely.
From an attacker’s perspective, this protocol can extract sensitive information. If the protocol on a device is vulnerable, it can be used to penetrate the network.
However, CVE-2017-6742 is a remote code execution bug on the SNMP protocol of Cisco routers.
As of June 2017, Cisco released patches along with an advisory that had information on workarounds like access limitation to trusted hosts or disabling SNMP management information.
Along with CISA, the NCSC (UK National Cyber Security Center), the NSA (US National Security Agency), and the Federal Bureau of Investigation (FBI) claims that APT 28 is operated by the General Staff Main Intelligence (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26155.
As per the report from CISA, APT28 had been using commercial code repositories and post-exploit frameworks for gaining access and deploying malware.
The report states, “As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of Powershell Empire, in addition to Python versions of Empire.”
The report also stated that the APT28 threat actor used this CVE-2017-6742 to exploit SNMP and deploy the malware they use to extract information via TFTP (Trivial File Transfer Protocol).
The malware was also used to enable unauthenticated access through a backdoor. The malware used by this group is Jaguar Tooth Malware.
APT 28 is known to be a highly skilled threat actor, as mentioned by the CISA. The group had names like Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy).
There are multiple Indicators of Compromise for this attack on Cisco routers which can be found on the malware analysis page of Jaguar Tooth malware.
| Tactic | ID | Technique | Procedure |
| Initial Access | T1190 | Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved is available in the MITRE ATT&CK section of the Jaguar Tooth MAR. | APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313). |
| Initial Access | T1078.001 | Valid Accounts: Default Accounts. | Actors accessed victim routers by using default community strings such as “public.” |
| Reconnaissance | T1590 | Gather Victim Network Information | Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR. |
The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the path…
Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept…
A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has been…
Fraudsters in the Middle East are exploiting a vulnerability in the government services portal. By…
Juniper Networks has disclosed a significant vulnerability affecting its Junos OS and Junos OS Evolved…
CrowdStrike, a leader in cybersecurity, uncovered a sophisticated phishing campaign that leverages its recruitment branding…