Russian government attackers have been exploiting unpatched and badly-configured Cisco Systems routers since 2021, according to an alert from U.S. and U.K. cybersecurity agencies.
The vulnerabilities, which were publicized and patched in 2017, are in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s IOS and IOS XE Software. They could allow an authenticated remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.
The threat actor that’s been exploiting these holes for over two years is what threat researchers variously call APT28, Fancy Bear, Strontium, Pawn Storm, the Sednit Gang and Sofacy. But the security agencies say whatever the name it is, it’s almost certainly the intelligence unit of the Russian Military General Staff (GRU).
“In 2021, APT28 used infrastructure to masquerade Simple Network Management
protocol (SNMP) access into Cisco routers worldwide,” today’s report says. “This included a small number based in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.”
SNMP is designed to allow network administrators to monitor and configure network
devices remotely, says the report, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.
“A number of software tools can scan the entire network using SNMP, meaning that
poor configuration, such as using default or easy-to-guess community strings, can
make a network susceptible to attacks. Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces.”
The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.
For some of the targeted devices, APT28 actors used an SNMP exploit to deploy
malware the U.K.’s National Cyber Security Centre calls Jaguar Tooth, which collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP), and also enables unauthenticated backdoor access.
Cisco says all devices that have enabled SNMP and have not explicitly excluded the affected management information bases (MIBs) or object IDs (OID)s should be considered vulnerable. In addition to installing the latest firmware and security updates, Cisco administrators should also limit access to SNMP from trusted hosts only, or disable a number of SNMP Management Information bases outlined in its 2017 advisory.