US, UK and Cisco warn of Russian state-sponsored APT28 hackers deploying custom malware codenamed “Jaguar Tooth” on Cisco IOS routers, allowing unauthenticated access to the device .
APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to the Russian General Staff Intelligence Directorate (GRU). This hacking group was attributed to a wide range of attacks on European and American interests and is known to abuse zero-day exploits to conduct cyber espionage.
A joint report released today by the UK National Cyber Security Center (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the NSA and the FBI details how APT28 hackers exploited an old SNMP flaw on Cisco IOS routers to deploy custom malware named “Jaguar Tooth”.
Cisco IOS Custom Router Malware
Jaguar Tooth is malware injected directly into the memory of Cisco routers running older firmware versions. Once installed, the malware exfiltrates information from the router and provides unauthenticated backdoor access to the device.
“Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, version 12.3(6),” warns the NCSC advisory.
“It includes functionality to collect device information, which it exfiltrates via TFTP, and allows unauthenticated backdoor access. It has been observed to be deployed and executed via exploiting the vulnerability SNMP fixed CVE-2017-6742.”
To install the malware, threat actors scan public Cisco routers using weak SNMP community strings, such as the commonly used “public” string. SNMP community strings are like credentials that allow anyone who knows the configured string to query SNMP data on a device.
If a valid SNMP community string is discovered, threat actors exploit the SNMP vulnerability CVE-2017-6742, fixed in June 2017. The vulnerability is an unauthenticated remote code execution flaw with publicly available exploit code.
Once the threat actors gain access to the Cisco router, they patch its memory to install the custom, non-persistent Jaguar Tooth malware.
“This allows access to existing local accounts without checking the supplied password, when logging in via Telnet or a physical session,” explains the NCSC Malware Analysis Report.
Additionally, the malware creates a new process named “Service Policy Lock” which collects the output of the following Command Line Interface (CLI) commands and exfiltrates it using TFTP:
- show running configuration
- show version
- presentation of the show ip interface
- show arp
- show cdp neighbors
- show start
- show IP route
- show flash
All Cisco administrators should upgrade their routers to the latest firmware to mitigate these attacks.
Cisco too recommend to change from SNMP to NETCONF/RESTCONF on public routers for remote management, as it provides more robust security and features.
If SNMP is required, administrators must configure allow and deny lists to restrict who can access the SNMP interface on publicly exposed routers, and the community string should be replaced with a sufficiently strong random string.
CISA also recommends disabling SNMP v2 or Telnet on Cisco routers, as these protocols could allow credentials to be stolen from unencrypted traffic.
Finally, if a device is suspected to have been compromised, CISA recommends using Cisco’s guidance to IOS image integrity checkrevoke all keys associated with the device and do not reuse old keys, and replace images with those directly from Cisco.
A change of goals
Today’s advisory highlights a growing trend among state-sponsored threat actors to create custom malware for network devices to conduct cyber espionage and surveillance.
In March, Fortinet and Mandiant revealed that Chinese hackers targeted vulnerable Fortinet devices with custom malware in a series of attacks against government entities.
Also in March, Mandiant reported on an alleged Chinese hacking campaign that installed custom malware on exposed SonicWall devices.
Since edge network devices do not support Endpoint Detection and Response (EDR) solutions, they become a popular target for threat actors.
Additionally, since they are at the edge and nearly all enterprise network traffic passes through them, they are attractive targets for monitoring network traffic and gathering credentials for later access to a network.