UK and US cybersecurity and intelligence agencies say Russian nation-state actors are exploiting currently patched flaws in Cisco network equipment to conduct reconnaissance and deploy malware against targets. I warn you.
According to authorities, the intrusion occurred in 2021 and targeted a handful of European organizations, U.S. government agencies, and about 250 Ukrainian victims.
This activity is tracked as APT28, also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is attributed to threat actors affiliated with the Russian General Staff Intelligence Service (GRU).
“APT28 is known to use weak default SNMP community strings and exploit CVE-2017-6742 to gain access to vulnerable routers,” said the National Cyber Security Center (NCSC). I’m here.
CVE-2017-6742 (CVSS score: 8.8) is part of a series of remote code execution flaws caused by buffer overflow conditions in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software.
In attacks we observed, attackers weaponized vulnerabilities to deploy non-persistent malware called Jaguar Tooth on Cisco routers that could gather device information and allow unauthenticated backdoor access. .
This issue was patched by Cisco in June 2017, but has since become commonly exploited as of January 11, 2018, and the use of robust patch management practices to limit the attack surface. need is emphasized.
In addition to updating to the latest firmware to mitigate potential threats, the company also encourages users to switch from SNMP to NETCONF or RESTCONF for network management.
In its coordinated advisory, Cisco Talos said the attack was part of a broader campaign against aging network appliances and software from various vendors to “advance espionage objectives or prevent future disruption.” It is said that the purpose is to prepare for activities.
This includes installation of malicious software on infrastructure devices, attempts to monitor network traffic, and pre-existing access to internal environments that target TACACS+/RADIUS servers to obtain credentials. attacks by “adversaries with
Defending with Deception: Driving Zero Trust Security
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
“Root/switch devices are stable, rarely inspected from a security perspective, often poorly patched, and provide deep visibility into the network,” says Cisco Threat said Matt Olney, Director of Intelligence and Interdiction.
“They are silent, perfect targets for adversaries seeking access to critical intelligence capabilities and a foothold in preferred networks. It has been attacked as a target of attack.The main preference.”
The warning comes months after the U.S. government warned of a China-based nation-state hacking crew that will exploit network vulnerabilities to exploit public and private sector organizations from at least 2020 onwards. That’s what I mean.
Additionally, earlier this year, Google-owned Mandiant highlighted efforts by Chinese government-backed actors to deploy bespoke malware on vulnerable Fortinet and SonicWall devices.
“Sophisticated cyber espionage threat actors utilize all available techniques, especially those they do not support, to maintain and transit target environments. [endpoint detection and response] solution,” said Mandiant.
