Summary:
“The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named 'Jaguar Tooth' on Cisco IOS routers, allowing unauthenticated access to the device. APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to Russia's General Staff Main Intelligence Directorate (GRU). This hacking group has been attributed to a wide range of attacks on European and US interests and is known to abuse zero-day exploits to conduct cyber espionage” (Bleeping Computer, 2023).

In a joint report released yesterday by the NCSC, CISA, NSA, and the FBI, the agencies released details on how APT28 hackers have been exploiting an old SNMP flaw in Cisco IOS routers to deploy a custom malware called Jaguar Tooth.

The malware is injected directly into the memory of Cisco routers running older firmware versions. The malware can be used to exfiltrate information from the router and provides an unauthenticated backdoor.

"Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6)," warns the NCSC advisory. "It includes functionality to collect device information, which it exfiltrates over TFTP, and enables unauthenticated backdoor access. It has been observed being deployed and executed via exploitation of the patched SNMP vulnerability CVE-2017-6742."

Analyst comments:
Threat actors are able to scan for public Cisco routers using weak SNMP public strings. These “community” strings work similar to credentials and can allow anyone who knows the string to query SNMP data on the device. By exploiting CVE-2017-6742, which was fixed in June of 2017, threat actors can execute remote exploits which are publicly available. Once the threat actors access the Cisco router, they patch its memory to install the custom, non-persistent Jaguar Tooth malware. "This grants access to existing local accounts without checking the provided password, when connecting via Telnet or physical session," explains the NCSC malware analysis report.

In addition, the malware creates a new process named 'Service Policy Lock' that collects the output from the following Command Line Interface (CLI) commands and exfiltrates it using TFTP:

• show running-config
• show version
• show ip interface brief
• show arp
• show cdp neighbors
• show start
• show ip route
• show flash

State-sponsored threat actors continue to create custom malware for networking device, which the article says is a growing trend. Exploiting networking devices promotes many nations interests in cyber espionage and surveillance.

In March, Fortinet and Mandiant disclosed that Chinese hackers were targeting vulnerable Fortinet devices with custom malware in a series of attacks against government entities. Also in March, Mandiant reported on a suspected Chinese hacking campaign that installed custom malware on exposed SonicWall devices.

Many Endpoint Detection and Response (EDR) solutions do not support edge network devices, making them popular targets for cybercriminals. These devices often contain corporate traffic and can be used to gather credentials for further access into the network.

We have includes a list of YARA and SNORT rules admins can use to check for exploitation.

Mitigation:
All Cisco admins should upgrade their routers to the latest firmware to mitigate these attacks.

Cisco also recommends switching from SNMP to NETCONF/RESTCONF on public routers for remote management, as it offers more robust security and functionality.

If SNMP is required, admins should configure allow and deny lists to restrict who can access the SNMP interface on publicly exposed routers, and the community string should be changed to a sufficiently strong, random string.

CISA also recommends disabling SNMP v2 or Telnet on Cisco routers, as these protocols could allow credentials to be stolen from unencrypted traffic.

Finally, if a device is suspected of having been compromised, CISA recommends using Cisco's advice for verifying the integrity of the IOS image, revoking all keys associated with the device and to not reuse old keys, and to replace images with those directly from Cisco.

Source:
https://www.bleepingcomputer.com/ne...ackers-using-custom-malware-on-cisco-routers/
https://blogs.cisco.com/security/threat-actors-exploiting-snmp-vulnerabilities-in-cisco-routers
PDF: https://www.ncsc.gov.uk/static-asse...eports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf