APT28 exploits a known vulnerability to perform Malware reconnaissance

34

APT28 exploits a known vulnerability to reconnaissance and deploy malware on Cisco routers

Malware

 

  1. EXECUTIVE OVERVIEW

In 2021, APT28 used infrastructure to mask access to the Simple Network Management Protocol (SNMP) on Cisco routers worldwide. This included a small number based in Europe, U.S. government institutions and approximately 250 Ukrainian victims.

SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

Several software tools can scan the entire network using SNMP, which means that poor configuration, such as using default or easy-to-guess community strings, can make a network susceptible to attacks.

Weak SNMP community strings, including the default "public", allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate the router interfaces. [ T1078.001 ]

The compromised routers were configured to accept SNMP v2 requests. SNMP v2 does not support encryption, so all data, including community strings, is sent unencrypted.

Malware

Exploit CVE-2017-6742:

APT28 exploited vulnerability CVE-2017-6742 (Cisco bug ID: CSCve54313) [ T1190]. This vulnerability was first announced by Cisco on June 29, 2017 and patched software was made available.

Cisco's published advisory provided workarounds, such as limiting SNMP access only from trusted hosts or disabling various SNMP management information bases (MIBs).

  1. MALWARE DEPLOYMENT

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC's Jaguar Teeth Malware Analysis Report. This malware obtained more information from the device, which is leaked through the Trivial File Transfer Protocol (TFTP) and allowed unauthenticated access through a backdoor.

The actor obtained this information from the device by executing a series of command line interface (CLI) commands through the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses.

  1. MITRE

This advisory has been compiled against the MITRE ATT&CK® framework, a globally accessible knowledge base of adversarial tactics and techniques based on real-world observations. For detailed TTPs, please refer to the Malware Analysis Report.

 

Tactics

IDENTIFICATION

Technique

Procedure

Initial access

T1190

Leverage audience-oriented application.

APT28 exploited default/known community strings in SNMP as described in CVE-2017-6742 (Cisco bug ID: CSCve54313).

Initial access

T1078.001

Valid accounts: default accounts.

The actors accessed the victims' routers using community strings predetermined as "public".

Recognition

T1590

Collect information from the victim network

Access was obtained to perform reconnaissance on the victims' devices. More details of how this was accomplished are available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

 

  1. MITIGATION

Patch devices as recommended by Cisco. The NCSC also has a general guide on how to manage updates and keep software up to date.

Do not use SNMP if you do not need to configure or manage devices remotely to prevent unauthorized users from accessing your router.

If you must manage routers remotely, set up allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router.

Do not allow unencrypted (i.e., plain text) administration protocols, such as SNMP v2 and Telnet. When encrypted protocols are not possible, you should conduct any administration activities from outside the organization through an encrypted virtual private network (VPN), where both ends authenticate each other.

Enforce a secure password policy. Do not reuse the same password for multiple devices. Each device should have a unique password. Whenever possible, avoid legacy password-based authentication and implement two-factor authentication based on public and private key.

Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Whenever possible, use modern encrypted protocols such as SSH and SNMP v3. Strengthen encryption protocols based on current security best practices. NCSC strongly recommends that owners and operators remove and replace legacy devices that cannot be configured to use SNMP v3.

Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of the events to support an investigation if the integrity of the device is ever questioned. Refer to the NCSC guide on monitoring and logging.

If you suspect that your router has been compromised:

  • Follow Cisco's advice to verify the Cisco IOS image.
  • Revoke all keys associated with that router. When replacing the router configuration, be sure to create new keys instead of pasting from the previous configuration.
  • Replace the ROMMON and Cisco IOS image with an image that has been obtained directly from the Cisco website, in case the internal and third-party repositories have been compromised.

The NSA Network Infrastructure Guide provides some best practices for SNMP.

See also the Cisco IOS hardening guide and the Cisco Jaguar Tooth blog.

  1. LINKS

-Cisco Tips:

https://sec.cloudapps.cisco.com/security/center/resources/integrity_assurance.html

-NSA Network Infrastructure Guide:

https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF

 

-Cisco IOS Hardening Guide:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

-Cisco's Jaguar Tooth blog:

https://blogs.cisco.com/security/threat-actors-exploiting-snmp-vulnerabilities-in-cisco-routers

malware

Ransomware EXECUTIVE SUMMARY A new strain of ransomware targeting large commercial entities has been identified and dubbed CACTUS; ...

APT28 exploits a known vulnerability to perform reconnaissance and deploy malware on Cisco Malware routers EXECUTIVE SUMMARY In ...

Share

Facebook
Twitter
LinkedIn

Related articles

Contact us at
close slider