Fancy Bear known to be exploiting vulnerability in Cisco routers

In a joint advisory, the UK National Cyber Security Centre (NCSC), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released information about APT28’s exploitation of Cisco routers in 2021.

Now please don’t stop reading because you think this is old news. If you think 2021 is long ago, maybe you will be surprised to learn that the vulnerability used in these attacks was actually discovered in 2017.

Cisco published workarounds and updates for this vulnerability in June of 2017. Nevertheless, the advisory says that the mentioned tactics, techniques, and procedures (TTPs) may still be being used against vulnerable Cisco devices.

APT28 (also known as Sofacy and Fancy Bear), is the name for an advanced group of cybercriminals of Russian origin which are commonly believed to be part of the Russian Staff Main Intelligence Directorate (GRU). Previous activities include cyberattacks against the German parliament in 2015, and an attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK.

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a standardized framework and a common language for monitoring and managing devices in a network. SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be abused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. In 2021, APT28 used infrastructure to masquerade SNMP access into Cisco routers worldwide.

This was possible because the SNMP subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. These vulnerabilities affect all releases of Cisco IOS and IOS XE Software prior to the first fixed release and they affect all versions of SNMP-Versions 1, 2c, and 3. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

Enter Jaguar Tooth, the name of the malware that APT28 used to obtain further device information and enabled unauthenticated access via a backdoor. The actor obtained this device information by executing a number of commands via the malware and send them out over trivial file transfer protocol (TFTP). The information includes discovery of other devices on the network.

Discovery and countermeasures

Should you be worried about this threat? That depends on your threat model. If there is a reason for state actors to be interested in you in some way, then the answer is yes. This is the type of threat that the UK’s Minister and Secretary of State for National Investment Security, Mr Dowden, is referring to when he talks about groups that are ideologically motivated, rather than financially motivated.

If you suspect your router has been compromised, you can follow Cisco’s advice for verifying the Cisco IOS image. If that does not take away your suspicion, you should:

  • Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
  • Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.

To prevent falling victim to this specific threat there are some steps you should take:

  • Patch devices as advised by Cisco
  • Do not use SNMP if you are not required to configure or manage devices remotely. If you do need it, use a limiting allow list for SNMP messages to prevent unauthorized users from accessing your router.
  • Review your password policy and adapt it where necessary.
  • Use logging tools to record commands executed on your network devices.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.