Russian Hackers Targeting Flaw In Cisco Routers

Russian hacking group APT28 has been exploiting a six-year-old vulnerability in Cisco routers to deploy malware and carry out surveillance on both individuals and organizations in the United States, Europe, and Ukraine.

The state-sponsored group has been using an old vulnerability, CVE-2017-6742, to execute code on routers and gain remote access. While Cisco had patched the vulnerabilities in 2017, many organizations failed to apply the fixes, leaving them open to attacks.

The US and UK cybersecurity agencies, including the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI), have issued a joint advisory, stating that “in 2021, APT28 used infrastructure to masquerade Simple Network Management Protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.”

The joint advisory said that in their attacks, the hackers used SNMP exploits to deploy malware such as Jaguar Tooth, which allowed them to obtain additional device information and enable backdoor access to the system.

In a blog post, Cisco warned its customers that it “is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally.”

The Cisco router flaw has previously allowed hackers to get a foothold in a preferred network, providing them with deep network visibility. The company advised its customers to use a well-selected SNMP community string and other best practices, which could prevent attacks even if a device remains unpatched.

Cisco also warned that the threat is not limited to its products — instead, it’s part of a broader campaign against aging networking appliances and software from various vendors. The company recommended that “if you are not using SNMP v3, even well-chosen credentials are transmitted in the clear and are subject to capture. NETCONF (Network Configuration Protocol) and RESTCONF are modern network management protocols designed to offer better security and functionality than their older counterpart, SNMP.”

Russia is not the only country taking such actions. CISA released a report indicating that Chinese adversaries are also targeting network equipment from a diverse range of manufacturers.