APT28 applies new malware campaign on Cisco routers

Target Industry

APT28 frequently targets the following industry sectors:

– Aerospace and Defence
– Government
– Hospitality
– Media

Overview

The UK National Cyber Security Centre (NCSC), Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI have issued a joint disclosure explaining how the Russian-state sponsored threat actor group APT28(Fancy Bear, Strontium, Sednit, and Sofacy) has been exploiting an SNMP vulnerability on Cisco IOS routers to deploy a custom malware named “Jaguar Tooth”.

The Jaguar Tooth malware is injected directly into the memory of vulnerable Cisco routers operating older firmware versions. Following installation, the malware exfiltrates data from the router and provides unauthenticated backdoor access to the target system. It has been observed as being deployed and executed via the exploitation of the patched SNMP vulnerability, tracked as CVE-2017-6742 (CVSSv3 Score: 8.8). To install the malware, the threat actors scan for public Cisco routers using weak SNMP community strings. This allows the threat actor to access existing local accounts.

Please refer to the Quorum Cyber APT28 Threat Actor Profile for further details.

Impact

Successful exploitation of CVE-2017-6742 allows authenticated, remote threat actors to execute code on an affected system or cause an affected system to reload. With the deployment of the Jaguar Tooth malware, the APT28 threat actor group is granted the ability to access vulnerable Cisco routers in an unauthenticated manner.

Vulnerability Detection

Cisco released the required security patch for CVE-2017-6742 when the vulnerability was discovered. As such, previous versions are vulnerable to potential exploit.

Affected Products

– Cisco IOS routers operating firmware: C5350-ISM, Version 12.3(6)

Containment, Mitigations & Remediations

It is strongly recommended that Cisco administrators adhere to the following mitigation steps:

– Upgrade Cisco IOS routers to the latest firmware version
– Switch from SNMP to NETCONF/RESTCONF on public routers for remote management. If SNMP is required, administrators should configure allow and deny lists to restrict access to the SNMP interface on publicly exposed routers
– The community string should be changed to a sufficiently strong, random string
– Disable SNMPv2 or Telnet on Cisco routers

Moreover, if a device is suspected of having been compromised, the following steps should be undertaken:

– Use Cisco’s advice for verifying the integrity of the IOS image
– Revoke all keys associated with the device and don’t reuse old keys
– Replace images with those directly from Cisco.

Indicators of Compromise

APT28 Associated IP Addresses:

– 185[.]176[.]43[.]106
– 5[.]199[.]174[.]219
– 5[.]199[.]173[.]152
– 136[.]144[.]41[.]177
– 158[.]58[.]173[.]40
– 162[.]241[.]216[.]236
– 185[.]141[.]63[.]47
– 185[.]170[.]144[.]159
– 185[.]233[.]185[.]21
– 185[.]86[.]149[.]125
– 188[.]214[.]30[.]76
– 192[.]145[.]125[.]42
– 193[.]29[.]187[.]60
– 195[.]154[.]250[.]89
– 77[.]83[.]247[.]81
– 93[.]115[.]28[.]161
– 95[.]141[.]36[.]180
– 18[.]133[.]249[.]238
– 194[.]33[.]40[.]72
– 5[.]149[.]253[.]45

APT28 Associated File Hashes (MD5):

– 20ea405d79b4de1b90de54a442952a45
– 4fe4b9560e99e33dabca553e2eeee510
– c73d42d7546fe049f63115635c092288
– eafa11070f213f16efc030f625a423d1

APT28 Associated File Hashes (SHA256):

– 47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6
– 73e1f2762ffe8e674f08d83c1308362bd96ccd4f64c307ee0a568bc66faf45bb
– a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
– ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698
– b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44
– c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f
– daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01
– e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae
– efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52
– 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

APT28 Associated Domains:

– getstatpro[.]com
– myinvestgroup[.]com
– 547857[.]c1[.]biz
– account-gmx[.]net
– account-web[.]de
– consumerpanel0x254a2[.]frge[.]io
– consumerspanel[.]frge[.]io
– frge[.]io
– hatdfg-rhgreh684[.]frge[.]io
– id-unconfirmeduser[.]frge[.]io
– mvband[.]net
– mvtband[.]net
– panelunregistertle-348[.]frge[.]io
– ua-consumerpanel[.]frge[.]io
– updaterweb[.]com
– 65487[.]c1[.]biz
– account-gmx[.]de
– accounts[.]secure-ua[.]website
– cache-pdf[.]com
– domtern[.]com

Threat Landscape

There is an emerging trend among nation state-sponsored threat actors to create custom malware variants for networking devices to conduct cyber espionage and surveillance operations.

As edge network devices do not support endpoint detection and response (EDR) solutions, they are becoming a favoured target for threat actors. Further, as they are located on the edge with a significant quantity of corporate network traffic passing through them, they are attractive targets to monitor network traffic and harvest credentials for the purposes of further targeting.

Threat Group

APT28 (Fancy BEAR, Pawn Storm, Sofacy, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored threat actor group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage operations against targeted entities for the purposes of intelligence gathering and hack and leak/Information Operations (IO).

Further Information

NCSC Malware Report
Cisco Advisory