Cisco, the United States and British governments are warning of APT28 hackers deploying custom malware capable of allowing remote access, named “Jaguar Tooth,” to Cisco IOS routers. This group, APT28, (otherwise known as Fancy Bear, Strontium, Sofacy, or Sednit) is a state-sponsored hacking group linked to Russia’s GRU. They’ve been attributed or taken credit for a wide range of attacks on US and European organizations, agencies and infrastructure.
The joint warning details how this malware is installed, using the SNMP vulnerability CVE-2017-6742, which was first documented in 2017 and has had a patch available for a number of years. Once in, the attackers patch the router’s memory to install the Jaguar Tooth malware. This allows attackers to use any local accounts without providing a password when connecting physically or via Telnet. It also runs a collection of commands to collect data on the device and its configuration, which it then exfiltrates using TFTP.
Cisco and CISA are recommending all Cisco routers be upgraded to the latest firmware, disabling Telnet access, and switching from SNMP to NETCONF/RESTCONF for remote management. If SNMP is required, organizations should configure allow and deny lists to restrict access from any IP that isn’t specifically in use by administrators.
For more information on Jaguar Tooth, please review the NCSC’s malware analysis report: https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf