US, UK warn of govt hackers using custom malware on Cisco routers

The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named 'Jaguar Tooth' on Cisco IOS routers, allowing unauthenticated access to the device.

APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to Russia's General Staff Main Intelligence Directorate (GRU). This hacking group has been attributed to a wide range of attacks on European and US interests and is known to abuse zero-day exploits to conduct cyber espionage.

A joint report released today by the UK National Cyber Security Centre (NCSC), US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI details how the APT28 hackers have been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named 'Jaguar Tooth.'

Custom Cisco IOS router malware

Jaguar Tooth is malware injected directly into the memory of Cisco routers running older firmware versions. Once installed, the malware exfiltrates information from the router and provides unauthenticated backdoor access to the device.

"Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6)," warns the NCSC advisory.

"It includes functionality to collect device information, which it exfiltrates over TFTP, and enables unauthenticated backdoor access. It has been observed being deployed and executed via exploitation of the patched SNMP vulnerability CVE-2017-6742."

To install the malware, the threat actors scan for public Cisco routers using weak SNMP community strings, such as the commonly used 'public' string. SNMP community strings are like credentials that allow anyone who knows the configured string to query SNMP data on a device.

If a valid SNMP community string is discovered, the threat actors exploit the CVE-2017-6742 SNMP vulnerability, fixed in June 2017. This vulnerability is an unauthenticated, remote code execution flaw with publicly available exploit code.

Once the threat actors access the Cisco router, they patch its memory to install the custom, non-persistent Jaguar Tooth malware.

"This grants access to existing local accounts without checking the provided password, when connecting via Telnet or physical session," explains the NCSC malware analysis report.

In addition, the malware creates a new process named 'Service Policy Lock' that collects the output from the following Command Line Interface (CLI) commands and exfiltrates it using TFTP:

• show running-config
• show version
• show ip interface brief
• show arp
• show cdp neighbors
• show start
• show ip route
• show flash

All Cisco admins should upgrade their routers to the latest firmware to mitigate these attacks.

Cisco also recommends switching from SNMP to NETCONF/RESTCONF on public routers for remote management, as it offers more robust security and functionality.

If SNMP is required, admins should configure allow and deny lists to restrict who can access the SNMP interface on publicly exposed routers, and the community string should be changed to a sufficiently strong, random string.

CISA also recommends disabling SNMP v2 or Telnet on Cisco routers, as these protocols could allow credentials to be stolen from unencrypted traffic.

Finally, if a device is suspected of having been compromised, CISA recommends using Cisco's advice for verifying the integrity of the IOS image, revoking all keys associated with the device and to not reuse old keys, and to replace images with those directly from Cisco.

A shift in targets

Today's advisory highlights a growing trend among state-sponsored threat actors to create custom malware for networking devices to conduct cyber espionage and surveillance.

In March, Fortinet and Mandiant disclosed that Chinese hackers were targeting vulnerable Fortinet devices with custom malware in a series of attacks against government entities.

Also in March, Mandiant reported on a suspected Chinese hacking campaign that installed custom malware on exposed SonicWall devices.

As edge network devices do not support Endpoint Detection and Response (EDR) solutions, they are becoming a popular target for threat actors.

Furthermore, as they sit on the edge with almost all corporate network traffic flowing through them, they are attractive targets to surveil network traffic and gather credentials for further access into a network.