Patched holes in Cisco routers have been used by Russians for years: Report

Russian government attackers have been exploiting unpatched and badly-configured Cisco Systems routers since 2021, according to an alert from U.S. and U.K. cybersecurity agencies.

The vulnerabilities, which were publicized and patched in 2017, are in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s IOS and IOS XE Software. They could allow an authenticated remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

The threat actor that’s been exploiting these holes for over two years is what threat researchers variously call APT28, Fancy Bear, Strontium, Pawn Storm, the Sednit Gang and Sofacy. But the security agencies say whatever the name it is, it’s almost certainly the intelligence unit of the Russian Military General Staff (GRU).

“In 2021, APT28 used infrastructure to masquerade Simple Network Management
protocol (SNMP) access into Cisco routers worldwide,” today’s report says. “This included a small number based in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.”

SNMP is designed to allow network administrators to monitor and configure network
devices remotely, says the report, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

“A number of software tools can scan the entire network using SNMP, meaning that
poor configuration, such as using default or easy-to-guess community strings, can
make a network susceptible to attacks. Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces.”

The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy
malware the U.K.’s National Cyber Security Centre calls Jaguar Tooth, which collects device information and exfiltrates over Trivial File Transfer Protocol (TFTP), and also enables unauthenticated backdoor access.

Cisco says all devices that have enabled SNMP and have not explicitly excluded the affected management information bases (MIBs) or object IDs (OID)s should be considered vulnerable. In addition to installing the latest firmware and security updates, Cisco administrators should also limit access to SNMP from trusted hosts only, or disable a number of SNMP Management Information bases outlined in its 2017 advisory.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs