US, UK security agencies warn of APT28 hackers exploiting known Cisco vulnerability, issue mitigation action
Lead security agencies in the U.S. and U.K. published Tuesday a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers. The agencies assess that the APT28 group exploits a known vulnerability to carry out reconnaissance of routers and deploy malware, while also accessing poorly maintained Cisco routers and deploying malware on unpatched devices using CVE-2017-6742.
The transatlantic document issued by the U.K.’s National Cyber Security Centre (NCSC), National Security Agency (NSA) the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) indicated that APT28 cyber hackers masqueraded Simple Network Management Protocol (SNMP) to exploit the vulnerability and access vulnerable Cisco routers worldwide in 2021. Titled ‘APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers,’ the advisory disclosed that affected targets had included U.S. government institutions, approximately 250 Ukrainian victims, and a small number based in Europe.
SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network, the advisory said. “A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.”
The advisory said that weak SNMP community strings, including the default ‘public,’ allowed APT28 to gain access to router information. “APT28 sent additional SNMP commands to enumerate router interfaces. The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted,” it added.
Currently, the advisory assesses that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28, also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy, is a highly skilled threat actor.
In July 2021, these security agencies disclosed malicious cyber activities by Russian military intelligence against the U.S. and global organizations, starting from mid-2019, and were likely ongoing. The joint advisory at the time claimed that the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.
The NCSC has previously attributed the APT28 to cyber attacks against the German parliament in 2015, including data theft and disruption of email accounts of German Members of Parliament (MPs) and the Vice Chancellor. It also allegedly attempted an attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the U.K.
The Cisco vulnerability was first announced on Jun. 29, 2017, and patched software was made available. Cisco’s published advisory also provided workarounds, such as limiting access to SNMP from trusted hosts only, or disabling a number of SNMP Management Information bases (MIBs).
The current advisory identified that for some of the targeted devices, “APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.”
It added that the hacker obtained the device information by executing a number of Command Line Interface (CLI) commands using the malware. It includes the discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses.
The advisory revealed that the APT28 group had been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742. “TTPs in this advisory may still be used against vulnerable Cisco devices. Organisations are advised to follow the mitigation advice in this advisory to defend against this activity,” it added.
Organizations have been called upon to patch devices as advised by Cisco. The NCSC also has general guidance on managing updates and keeping software up to date. Enterprises have also been advised not to use SNMP if they are not required to configure or manage devices remotely to prevent unauthorized users from accessing the router. In case the routers are managed remotely, they must establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing the router.
Additionally, organizations must not allow unencrypted (ie, plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, they should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated.
Organizations have also been recommended to enforce a strong password policy and avoid the usage of the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on a public-private key.
Lastly, the agencies also advised organizations to disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. “Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3,” the advisory added.
The rise in attacks by nation-state hackers has led to the growing need for organizations to develop comprehensive security policies, incident response plans, and stay abreast of the latest attack and threat intelligence. As hackers gear up with new strategies, attack methods, and malware techniques, the trend is expected to continue throughout 2023, pushing critical infrastructure environments to advance the security and resilience of industrial control systems (ICS) for safe and efficient operation.
The advisory comes at a time when the State Service of Special Communications and Information Protection of Ukraine published its cyber incidents report for the first quarter of this year, showing a decrease in the number of attacks by pro-Russian groups targeting the commercial and financial sectors, the government and local authorities, and at the security and defense sectors. At the same time, the intensity of attacks on the energy sector and the mass media remains at the same level.
Related
