Russia-linked APT28 Group Exploiting Cisco Routers

A recent report from CISA (US Cybersecurity and Infrastructure Security Agency)  revealed that the APT 28 group was responsible for exploiting Cisco routers with poor maintenance using CVE-2017-6742

CVE-2017-6742 Attack:  Reconnaissance with RCE in Cisco

SNMP (Simple Network Management Protocol) is a networking protocol used by network administrators for monitoring and configuring devices remotely.

From an attacker’s perspective, this protocol can extract sensitive information. If the protocol on a device is vulnerable, it can be used to penetrate the network.

However, CVE-2017-6742 is a remote code execution bug on the SNMP protocol of Cisco routers.

As of June 2017, Cisco released patches along with an advisory that had information on workarounds like access limitation to trusted hosts or disabling SNMP management information.

Along with CISA, the NCSC (UK National Cyber Security Center), the NSA (US National Security Agency), and the Federal Bureau of Investigation (FBI) claims that APT 28 is operated by the General Staff Main Intelligence (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26155.

As per the report from CISA, APT28 had been using commercial code repositories and post-exploit frameworks for gaining access and deploying malware. 

The report states, “As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of Powershell Empire, in addition to Python versions of Empire.

The report also stated that the APT28 threat actor used this CVE-2017-6742 to exploit SNMP and deploy the malware they use to extract information via TFTP (Trivial File Transfer Protocol).

The malware was also used to enable unauthenticated access through a backdoor. The malware used by this group is Jaguar Tooth Malware.

APT 28 is known to be a highly skilled threat actor, as mentioned by the CISA. The group had names like Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy).

History of Activities by APT28

  • APT28 was responsible for a cyber attack on the German parliament in 2015, resulting in data theft and disruption of email accounts belonging to the German Members of Parliament and the vice-chancellor.
  • APT28 also attempted to attack the OPCW (Organisation for the Prohibition of Chemical Weapons) in 2018 to collapse the Chemical Weapon independent analysis by GRU.

Indicators of Compromise

There are multiple Indicators of Compromise for this attack on Cisco routers which can be found on the malware analysis page of Jaguar Tooth malware.

Tactics, Techniques, and Procedures:

Tactic ID Technique Procedure
Initial Access T1190 Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved is available in the MITRE ATT&CK section of the Jaguar Tooth MAR. APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).
Initial Access T1078.001 Valid Accounts: Default Accounts. Actors accessed victim routers by using default community strings such as “public.”
Reconnaissance T1590 Gather Victim Network Information Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus