A recent report from CISA (US Cybersecurity and Infrastructure Security Agency) revealed that the APT 28 group was responsible for exploiting Cisco routers with poor maintenance using CVE-2017-6742.
SNMP (Simple Network Management Protocol) is a networking protocol used by network administrators for monitoring and configuring devices remotely.
From an attacker’s perspective, this protocol can extract sensitive information. If the protocol on a device is vulnerable, it can be used to penetrate the network.
However, CVE-2017-6742 is a remote code execution bug on the SNMP protocol of Cisco routers.
As of June 2017, Cisco released patches along with an advisory that had information on workarounds like access limitation to trusted hosts or disabling SNMP management information.
Along with CISA, the NCSC (UK National Cyber Security Center), the NSA (US National Security Agency), and the Federal Bureau of Investigation (FBI) claims that APT 28 is operated by the General Staff Main Intelligence (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26155.
As per the report from CISA, APT28 had been using commercial code repositories and post-exploit frameworks for gaining access and deploying malware.
The report states, “As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of Powershell Empire, in addition to Python versions of Empire.”
The report also stated that the APT28 threat actor used this CVE-2017-6742 to exploit SNMP and deploy the malware they use to extract information via TFTP (Trivial File Transfer Protocol).
The malware was also used to enable unauthenticated access through a backdoor. The malware used by this group is Jaguar Tooth Malware.
APT 28 is known to be a highly skilled threat actor, as mentioned by the CISA. The group had names like Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy).
There are multiple Indicators of Compromise for this attack on Cisco routers which can be found on the malware analysis page of Jaguar Tooth malware.
| Tactic | ID | Technique | Procedure |
| Initial Access | T1190 | Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved is available in the MITRE ATT&CK section of the Jaguar Tooth MAR. | APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313). |
| Initial Access | T1078.001 | Valid Accounts: Default Accounts. | Actors accessed victim routers by using default community strings such as “public.” |
| Reconnaissance | T1590 | Gather Victim Network Information | Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR. |
Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…
Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…
Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…
Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…
The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…
Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…