HQ/EMEAFind out how we can help your business
A joint advisory from multiple law enforcement agencies revealed that the Russian hacker group, APT28, has exploited a bug on Cisco routers since 2021. The malicious group abuses poorly maintained routers to deploy customer malware strains on outdated devices.
In addition, the group adopted an infrastructure to disguise as the Simple Network Management Protocol (SNMP), which would allow them to access Cisco routers worldwide. This campaign from a couple of years ago has impacted some routers in several European countries and United States government institutions. The campaign has also allegedly affected about 250 privately-owned routers.
APT28 exploited the Cisco bug to deploy the Jaguar Tooth malware.
Russia’s APT28 threat group exploited a Cisco router bug (CVE-2017-6742) to launch a custom Jaguar Tooth malware. This malware has the ability to extract data from the router and grant unauthorised backdoor access to the hackers after installation.
The malware could also enable its operators to acquire access to local accounts even if it does not have authentication when connecting through Telnet or a manual session. In addition, the Jaguar Tooth malware creates a new process known as Service Policy Lock that harvests the output from CLI commands and transfers it via TFTP.
The latest notice shows an emerging pattern of state-sponsored threat actors developing custom malware for network devices to execute cyber espionage and surveillance activities. One example of this incident is that Chinese hackers have used custom malware to target flawed Fortinet devices in a series of attacks against government entities.
In a similar incident, a cybersecurity researcher reported that an alleged Chinese hacking operation leveraged a custom malware to infect exposed SonicWall machines.
These campaigns have gained more traction from different threat actors over the years. The traffic flowing through vulnerable devices has allowed the actors to infect more corporate networks.
The attacks could exfiltrate troves of data with deeper network access. Cybersecurity experts suggest that users patch vulnerable devices whenever an update is available. These updates will repair bugs and vulnerabilities and prevent hackers from exploiting exposed devices.
