Russian snoops just love invading unpatched Cisco gear, America and UK warn

Trending 5 months ago

The UK and US governments person sounded nan siren connected Russian intelligence targeting unpatched Cisco routers to deploy malware and transportation retired surveillance.

In a joint advisory issued Tuesday, nan UK National Cyber Security Centre (NCSC), nan NSA, America's Cybersecurity and Infrastructure Security Agency (CISA) and nan FBI provided specifications astir really Russia's APT28 — aka FancyBear and Stronium — exploited an aged vulnerability successful unpatched Cisco routers successful 2021 to cod web accusation belonging to European and US authorities organizations, and astir 250 Ukrainian victims.

APT28 is understood to beryllium a cardinal cog successful nan Russian subject intelligence machine: it's a GRU-linked unit responsible for, among different things, nan 2015 theft of information from nan German parliament, nan US Democratic National Committee ransacking a twelvemonth later, nan attempted intrusion into nan UK Organisation for nan Prohibition of Chemical Weapons successful April 2018, and a slew of much caller cyberattacks against Ukraine since nan Russian penetration began.

"TTPs successful this advisory whitethorn still beryllium utilized against susceptible Cisco devices," nan governments' advisory said, referring to nan tactics, techniques, and procedures employed by Russia to discuss nan networking gear. 

To beryllium clear: this is simply a astir six-year-old vulnerability that Cisco disclosed and fixed successful 2017. The networking vendor updated its information advisory erstwhile it became alert of in-the-wild exploits of nan now-patched bug.

In a abstracted warning, besides issued connected Tuesday, Cisco said it's not conscionable Russian spies attempting to onslaught web infrastructure — and it's not conscionable Cisco cogwheel they're going after.

"Cisco is profoundly concerned by an summation successful nan complaint of high-sophistication attacks connected web infrastructure — that we person observed and person seen corroborated by galore reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally," Cisco Talos Threat Intelligence Director Matt Olney said.

In an question and reply pinch The Register, JJ Cummings, Cisco Talos nationalist intelligence principal, said nan IT giant's threat hunting squad has seen this type of router targeting being utilized for espionage, and to support much descriptive attacks, overmuch much precocious than 2021.

Network operators are incentivized ... to support a high-availability, operational environment. We're seeing devices spell [unpatched] for years astatine a time

"Network operators are, frankly, incentivized, and their full extremity is to support a high-availability, operational situation for nan remainder of their organization," Cummings said. "When they're incentivized to do this, we're seeing cases wherever devices spell untouched for years astatine a time, aliases moreover longer potentially, each successful nan sanction of maintaining that uptime and that availability."

That semipermanent readiness comes astatine nan costs of unpatched gear: updates are not applied to debar downtime aliases immoderate interruption of business. "The information of that instrumentality isn't ever beforehand of mind," Cummings said.

Abusing SNMP pinch a 'Jaguar Tooth' bite

In nan 2021 attacks, nan Kremlin spies utilized nan elemental web guidance protocol (SNMP) to entree Cisco routers worldwide. This protocol is usually utilized by web administrators to show and configure devices remotely. As was nan lawsuit pinch Russia, it tin beryllium wielded against susceptible and poorly protected instrumentality to infiltrate organizations' networks.

"A number of package devices tin scan nan full web utilizing SNMP, meaning that mediocre configuration specified arsenic utilizing default aliases easy-to-guess organization strings, tin make a web susceptible to attacks," nan NCSC said. "Weak SNMP organization strings, including nan default 'public', allowed APT28 to summation entree to router information."

After exploiting anemic SNMP organization strings to entree routers, nan attackers deployed Jaguar Tooth malware [PDF], which collected much instrumentality accusation and sent it backmost to nan intruders complete trivial record transportation protocol (TFTP), and besides enabled unauthenticated backdoor entree to nan web truthful that Moscow's snoops could support persistence.

  • How do you hunt cybersecurity threats successful a warfare zone? Like this
  • Google: Kremlin-backed goons dispersed Android malware disguised arsenic pro-Ukraine app
  • April Patch Tuesday: Ransomware gangs already exploiting this Windows bug
  • FBI: How clone Xi cops prey connected Chinese nationals successful nan US

Talos, for its part, said Cisco's not nan only instrumentality shaper successful nation-state spies' crosshairs. Its squad spotted 1 scanning instrumentality targeting "almost 20" router and move manufacturers, Olney noted. 

Plus, Chinese spies are conscionable arsenic apt arsenic their Russian counterparts to target web equipment, nan Talos alert added, citing a CISA warning from June 2022.

"It is reasonable to reason that any sufficiently capable nationalist intelligence cognition would create and usage nan capacity to discuss nan communications infrastructure of their preferred targets," Olney wrote.

"We person observed postulation manipulation, postulation copying, hidden configurations, router malware, infrastructure reconnaissance and progressive weakening of defenses by adversaries operating connected networking equipment," he continued. "Given nan assortment of activities we person seen adversaries prosecute in, they person shown a very precocious level of comfortableness and expertise moving wrong nan confines of compromised networking equipment." ®