Patched holes in Cisco routers have been used by Russians for years: Report

Share post:

Russian government attackers have been exploiting unpatched and badly-configured Cisco Systems routers since 2021, according to an alert from U.S. and U.K. cybersecurity agencies.

The vulnerabilities, which were publicized and patched in 2017, are in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s IOS and IOS XE Software. They could allow an authenticated remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

The threat actor that’s been exploiting these holes for over two years is what threat researchers variously call APT28, Fancy Bear, Strontium, Pawn Storm, the Sednit Gang and Sofacy. But the security agencies say whatever the name it is, it’s almost certainly the intelligence unit of the Russian Military General Staff (GRU).

“In 2021, APT28 used infrastructure to masquerade Simple Network Management
protocol (SNMP) access into Cisco routers worldwide,” today’s report says. “This included a small number based in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.”

SNMP is designed to allow network administrators to monitor and configure network
devices remotely, says the report, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

“A number of software tools can scan the entire network using SNMP, meaning that
poor configuration, such as using default or easy-to-guess community strings, can
make a network susceptible to attacks. Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces.”

The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy
malware the U.K.’s National Cyber Security Centre calls Jaguar Tooth, which collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP), and also enables unauthenticated backdoor access.

Cisco says all devices that have enabled SNMP and have not explicitly excluded the affected management information bases (MIBs) or object IDs (OID)s should be considered vulnerable. In addition to installing the latest firmware and security updates, Cisco administrators should also limit access to SNMP from trusted hosts only, or disable a number of SNMP Management Information bases outlined in its 2017 advisory.

The post Patched holes in Cisco routers have been used by Russians for years: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways