Cyber Incident Victim: Cisco

On April 18, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the UK National Cyber Security Centre (NCSC) jointly issued a warning regarding a campaign by Russian state-sponsored hackers targeting Cisco routers. The threat actor was identified as APT28, a group also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, which is linked to Russia’s General Staff Main Intelligence Directorate (GRU). This group has a history of conducting cyber espionage against European and US interests and is known for exploiting zero-day vulnerabilities. The campaign involved the deployment of a custom piece of malware named 'Jaguar Tooth' onto Cisco IOS routers.

The attackers initiated their operations by scanning the internet for publicly accessible Cisco routers that were configured with weak Simple Network Management Protocol (SNMP) community strings. These strings function as passwords, and the attackers specifically targeted devices using common or easily guessable strings, such as the default 'public'. This initial reconnaissance phase was designed to identify potential entry points into target networks. Once a valid SNMP community string was discovered, the threat actors proceeded to exploit a known vulnerability, CVE-2017-6742, which had been publicly disclosed and patched by Cisco in June 2017. This vulnerability is an unauthenticated remote code execution flaw, and exploit code for it was publicly available, facilitating its use by the attackers.

Upon successfully exploiting the SNMP vulnerability, the threat actors gained the ability to execute code on the targeted router. They used this access to deploy the Jaguar Tooth malware directly into the device's memory. The malware was designed to be non-persistent, meaning it would not survive a reboot of the router. It specifically targeted Cisco routers running an older firmware version, identified as C5350-ISM, Version 12.3(6). The primary function of the Jaguar Tooth malware was twofold: to exfiltrate sensitive configuration and operational data from the compromised device and to provide the attackers with unauthenticated backdoor access.

The data exfiltration component operated by creating a new process named 'Service Policy Lock' on the router. This process was programmed to automatically collect the output from a specific set of Cisco Command Line Interface (CLI) commands. The commands executed included 'show running-config', which displays the current active configuration; 'show version', which provides detailed information about the device's hardware and software; 'show ip interface brief', which lists a summary of IP interfaces and their status; 'show arp', which shows the Address Resolution Protocol cache; 'show cdp neighbors', which details connected Cisco devices discovered through the Cisco Discovery Protocol; 'show start', which displays the saved startup configuration; 'show ip route', which lists the routing table; and 'show flash', which shows information about the flash memory file system. The collected data from these commands was then transmitted out of the network via the Trivial File Transfer Protocol (TFTP).

Simultaneously, the malware patched the router's memory to subvert the normal authentication process. This modification granted the threat actors unauthenticated backdoor access to the device. Specifically, it allowed access to existing local accounts without requiring a password check when connecting to the router via a Telnet session or a physical connection. This backdoor provided APT28 with sustained, covert access to the network edge device, enabling continued surveillance and potentially facilitating further network penetration.

The impact of such a compromise is significant due to the strategic position routers hold within a network. As edge devices, they process all incoming and outgoing network traffic. A compromised router allows a threat actor to monitor, intercept, and potentially modify this traffic. This capability can be used for cyber espionage, to steal credentials transmitted in cleartext, to map the internal network structure, and to serve as a launching point for attacks deeper into the network. Furthermore, because network infrastructure devices like routers typically do not support traditional Endpoint Detection and Response (EDR) security solutions, they can be more difficult to monitor for malicious activity, making them attractive targets for advanced persistent threat groups.

In response to the discovery of this campaign, the joint advisory from the US and UK agencies, along with Cisco, provided specific guidance. The primary mitigation action recommended was for all Cisco administrators to upgrade their routers to the latest available firmware version, which would include the patch for CVE-2017-6742 and prevent the initial exploitation. For organizations that required remote management capabilities, the advisory recommended a shift away from SNMP to more secure protocols like NETCONF or RESTCONF. In cases where SNMP remained necessary, the guidance was to configure strict allow and deny lists to restrict access to the SNMP interface and to ensure any configured SNMP community string was a strong, random value instead of a default or weak string.

Additional recommendations focused on improving overall security posture. CISA advised disabling SNMP version 2 and Telnet on Cisco routers, citing the risk of credentials being stolen from unencrypted traffic generated by these protocols. For devices suspected of already being compromised, the response actions were more extensive. Organizations were directed to follow Cisco's guidance for verifying the integrity of the IOS operating system image installed on the router. Furthermore, it was recommended to revoke all cryptographic keys associated with a potentially compromised device, to avoid reusing any old keys, and to replace the device's IOS image with a clean version obtained directly from Cisco to ensure no remnants of the infection remained.

This incident is part of a broader trend observed in early 2023, where state-sponsored threat actors increasingly targeted network edge devices with custom malware. In March of the same year, similar campaigns were disclosed involving Chinese state-sponsored actors targeting vulnerable Fortinet devices with custom malware to attack government entities. Also in March, another suspected Chinese campaign was reported to have installed custom malware on exposed SonicWall appliances. The targeting of these types of devices provides threat actors with a strategic foothold on the periphery of a network, offering extensive visibility into traffic and opportunities for credential harvesting, which underscores the growing focus on network infrastructure as a primary vector for espionage campaigns.