Project Hyphae

Custom Malware Being Deployed To Cisco Routers

Share This Post

Cisco, the United States and British governments are warning of APT28 hackers deploying custom malware capable of allowing remote access, named “Jaguar Tooth,” to Cisco IOS routers. This group, APT28, (otherwise known as Fancy Bear, Strontium, Sofacy, or Sednit) is a state-sponsored hacking group linked to Russia’s GRU. They’ve been attributed or taken credit for a wide range of attacks on US and European organizations, agencies and infrastructure.

The joint warning details how this malware is installed, using the SNMP vulnerability CVE-2017-6742, which was first documented in 2017 and has had a patch available for a number of years. Once in, the attackers patch the router’s memory to install the Jaguar Tooth malware. This allows attackers to use any local accounts without providing a password when connecting physically or via Telnet. It also runs a collection of commands to collect data on the device and its configuration, which it then exfiltrates using TFTP.

Cisco and CISA are recommending all Cisco routers be upgraded to the latest firmware, disabling Telnet access, and switching from SNMP to NETCONF/RESTCONF for remote management. If SNMP is required, organizations should configure allow and deny lists to restrict access from any IP that isn’t specifically in use by administrators.

For more information on Jaguar Tooth, please review the NCSC’s malware analysis report:

More To Explore

Information Security News 6-5-2023

‘Picture-in-Picture’ Obfuscation Spoofs Delta, Kohl’s for Credential Harvesting Article Link: NSA and FBI: Kimsuky Hackers Pose as Journalists to Steal Intel Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.