Russian APT28 Group Exploiting Vulnerabilities in Cisco Routers

A recent report from CISA (US Cybersecurity and Infrastructure Security Agency)  revealed that the APT 28 group was responsible for exploiting Cisco routers with poor maintenance using CVE-2017-6742

CVE-2017-6742 Attack:  Reconnaissance with RCE in Cisco

SNMP (Simple Network Management Protocol) is a networking protocol used by network administrators for monitoring and configuring devices remotely.

From an attacker’s perspective, this protocol can extract sensitive information. If the protocol on a device is vulnerable, it can be used to penetrate the network.

However, CVE-2017-6742 is a remote code execution bug on the SNMP protocol of Cisco routers.

As of June 2017, Cisco released patches along with an advisory that had information on workarounds like access limitation to trusted hosts or disabling SNMP management information.

Along with CISA, the NCSC (UK National Cyber Security Center), the NSA (US National Security Agency), and the Federal Bureau of Investigation (FBI) claims that APT 28 is operated by the General Staff Main Intelligence (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26155.

As per the report from CISA, APT28 had been using commercial code repositories and post-exploit frameworks for gaining access and deploying malware. 

The report states, “As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of Powershell Empire, in addition to Python versions of Empire.

The report also stated that the APT28 threat actor used this CVE-2017-6742 to exploit SNMP and deploy the malware they use to extract information via TFTP (Trivial File Transfer Protocol).

The malware was also used to enable unauthenticated access through a backdoor. The malware used by this group is Jaguar Tooth Malware.


APT 28 is known to be a highly skilled threat actor, as mentioned by the CISA. The group had names like Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy).

History of Activities by APT28

  • APT28 was responsible for a cyber attack on the German parliament in 2015, resulting in data theft and disruption of email accounts belonging to the German Members of Parliament and the vice-chancellor.
  • APT28 also attempted to attack the OPCW (Organisation for the Prohibition of Chemical Weapons) in 2018 to collapse the Chemical Weapon independent analysis by GRU.

Indicators of Compromise

There are multiple Indicators of Compromise for this attack on Cisco routers which can be found on the malware analysis page of Jaguar Tooth malware.

Tactics, Techniques, and Procedures:

TacticIDTechniqueProcedure
Initial AccessT1190Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved is available in the MITRE ATT&CK section of the Jaguar Tooth MAR.APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).
Initial AccessT1078.001Valid Accounts: Default Accounts.Actors accessed victim routers by using default community strings such as “public.”
ReconnaissanceT1590Gather Victim Network InformationAccess was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Ex-ASML Russian Employee Smuggled Trade Secrets to Moscow via USB

A former employee of Dutch semiconductor firm ASML, identified as German A. (43), stands accused…

1 hour ago

Critical Apache Parquet Vulnerability Allows Remote Code Execution

A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.…

1 hour ago

Halo ITSM Vulnerability Lets Attackers Inject Malicious SQL Code

A critical security flaw has been discovered in Halo ITSM, an IT support management software widely…

3 hours ago

Australian Pension Funds Hacked: Members Face Financial Losses

Several of Australia’s largest superannuation funds have been targeted in a coordinated cyberattack, leading to…

4 hours ago

Frida Penetration Testing Toolkit Updated with Advanced Threat Monitoring APIs

In a significant update to the popular dynamic instrumentation toolkit Frida, developers have introduced powerful…

4 hours ago

OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability…

6 hours ago