NSA issues warning about APT28 Cisco router exploitation
The National Security Agency (NSA) has partnered with the UK’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) to publish a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers, the NSA announced April 18.
APT28 is also known as the Russian General Staff Main Intelligence Directorate (GRU) 85th Special Service Center (GTsSS) military intelligence unit 26165, Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy.
The transatlantic coalition published the “APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers” CSA indicating that APT28 cyber actors masqueraded Simple Network Management protocol (SNMP) to exploit CVE-2017-6742 (Cisco Bug ID: CSCve54313) and access vulnerable Cisco routers worldwide. This included U.S. Government institutions, approximately 250 Ukrainian victims, and a small number based in Europe.
These cyber actors continue to leverage a known vulnerability to exploit unpatched Cisco routers to conduct reconnaissance and deploy malware to enable unauthenticated access. See NCSC’s Jaguar Tooth malware analysis report for details.
SNMP is designed to allow administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.
The authoring agencies recommend following the mitigation advice to defend against this malicious activity and identify indicators of compromise (IoCs) to detect possible activity in networks.
If you enjoyed this article, please consider becoming a paid subscriber. Your support helps keep our site ad-free.