Russian APT hacked Cisco routers to hit US government
Cisco "deeply concerned" at attacks on "routers and firewalls globally"
Cisco says it is “deeply concerned” at the escalating number of high-sophistication attacks on network infrastructure including “routers and firewalls globally” – both its own and those from other providers.
The warning comes after US and UK authorities this week said that Russian military intelligence in 2021 exploited unpatched Cisco routers to gain access to targets including (unnamed) “US government institutions.”
They also hit a "small number [of victims] based in Europe and approximately 250 Ukrainian victims."
“Route/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility. They are the perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network” Cisco said today.
The comments came in a blog attributed to Matt Olney, Director, Talos Threat Intelligence and Interdiction.
They followed a joint April 18, 2023 warning by US and UK authorities over the exploitation of Cisco routers in 2021 by an advanced threat group known as APT28 and believed to be Russian military intelligence (GRU).
The FBI, NCSC, NSA and other agencies said that those attacks exploited a series of nine related Cisco vulnerabilities (CVE-2017-6736/7/8/9; CVE-2017-6740/1/2/3/4) that Cisco has admitted affected “all releases of Cisco IOS and IOS XE Software” prior to its patches, detailing indicators of compromise (IOCs) and urging action.
The Stack analysed 90,000+ software vulnerabilities: Here’s what we learned
The vulnerabilities relate to how the routers handle the Simple Network Management Protocol (SNMP) -- involving what Cisco described in its original advisory as a buffer overflow condition in the SNMP subsystem.
Although Cisco said back in 2017 that "to exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system", as the NCSC et al warned this week: “A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks. Weak SNMP community strings, including the default ‘public’, allowed APT28 to gain access to router information...
"APT28 sent additional SNMP commands to enumerate router interfaces. The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted,” the agencies added, warning admins to “not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorised users from accessing your router” and “if you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorised users from accessing your router” as well as enforcing a strong password policy.
Cisco's Olney added in his blog meanwhile that "because of the large presence of Cisco network infrastructure around the world, any sustained attack against network infrastructure would likely target Cisco equipment, but attacks are by no means limited to Cisco hardware. In reporting on Russian intelligence contracting documents, samples of which were recently shared with Cisco Talos, it was shown that any infrastructure brand would be targeted, with one scanning component targeting almost 20 different router and switch manufacturers..."
IOCs and TTPs are here.