Patched holes in Cisco routers have been used by Russians for years: Report

Share post:

Russian government attackers have been exploiting unpatched and badly-configured Cisco Systems routers since 2021, according to an alert from U.S. and U.K. cybersecurity agencies.

The vulnerabilities, which were publicized and patched in 2017, are in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s IOS and IOS XE Software. They could allow an authenticated remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

The threat actor that’s been exploiting these holes for over two years is what threat researchers variously call APT28, Fancy Bear, Strontium, Pawn Storm, the Sednit Gang and Sofacy. But the security agencies say whatever the name it is, it’s almost certainly the intelligence unit of the Russian Military General Staff (GRU).

“In 2021, APT28 used infrastructure to masquerade Simple Network Management
protocol (SNMP) access into Cisco routers worldwide,” today’s report says. “This included a small number based in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.”

SNMP is designed to allow network administrators to monitor and configure network
devices remotely, says the report, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

“A number of software tools can scan the entire network using SNMP, meaning that
poor configuration, such as using default or easy-to-guess community strings, can
make a network susceptible to attacks. Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces.”

The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy
malware the U.K.’s National Cyber Security Centre calls Jaguar Tooth, which collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP), and also enables unauthenticated backdoor access.

Cisco says all devices that have enabled SNMP and have not explicitly excluded the affected management information bases (MIBs) or object IDs (OID)s should be considered vulnerable. In addition to installing the latest firmware and security updates, Cisco administrators should also limit access to SNMP from trusted hosts only, or disable a number of SNMP Management Information bases outlined in its 2017 advisory.

The post Patched holes in Cisco routers have been used by Russians for years: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

A severe authentication bypass vulnerability has been discovered in the WordPress plugin "Really Simple Security" (formerly *Really Simple...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways