Get in Touch
APT28 applies new malware campaign on Cisco routers
APT28 frequently targets the following industry sectors:
– Aerospace and Defence
The UK National Cyber Security Centre (NCSC), Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI have issued a joint disclosure explaining how the Russian-state sponsored threat actor group APT28(Fancy Bear, Strontium, Sednit, and Sofacy) has been exploiting an SNMP vulnerability on Cisco IOS routers to deploy a custom malware named “Jaguar Tooth”.
The Jaguar Tooth malware is injected directly into the memory of vulnerable Cisco routers operating older firmware versions. Following installation, the malware exfiltrates data from the router and provides unauthenticated backdoor access to the target system. It has been observed as being deployed and executed via the exploitation of the patched SNMP vulnerability, tracked as CVE-2017-6742 (CVSSv3 Score: 8.8). To install the malware, the threat actors scan for public Cisco routers using weak SNMP community strings. This allows the threat actor to access existing local accounts.
Please refer to the Quorum Cyber APT28 Threat Actor Profile for further details.
Successful exploitation of CVE-2017-6742 allows authenticated, remote threat actors to execute code on an affected system or cause an affected system to reload. With the deployment of the Jaguar Tooth malware, the APT28 threat actor group is granted the ability to access vulnerable Cisco routers in an unauthenticated manner.
Cisco released the required security patch for CVE-2017-6742 when the vulnerability was discovered. As such, previous versions are vulnerable to potential exploit.
– Cisco IOS routers operating firmware: C5350-ISM, Version 12.3(6)
Containment, Mitigations & Remediations
It is strongly recommended that Cisco administrators adhere to the following mitigation steps:
– Upgrade Cisco IOS routers to the latest firmware version
– Switch from SNMP to NETCONF/RESTCONF on public routers for remote management. If SNMP is required, administrators should configure allow and deny lists to restrict access to the SNMP interface on publicly exposed routers
– The community string should be changed to a sufficiently strong, random string
– Disable SNMPv2 or Telnet on Cisco routers
Moreover, if a device is suspected of having been compromised, the following steps should be undertaken:
– Use Cisco’s advice for verifying the integrity of the IOS image
– Revoke all keys associated with the device and don’t reuse old keys
– Replace images with those directly from Cisco.
Indicators of Compromise
APT28 Associated IP Addresses:
APT28 Associated File Hashes (MD5):
APT28 Associated File Hashes (SHA256):
APT28 Associated Domains:
There is an emerging trend among nation state-sponsored threat actors to create custom malware variants for networking devices to conduct cyber espionage and surveillance operations.
As edge network devices do not support endpoint detection and response (EDR) solutions, they are becoming a favoured target for threat actors. Further, as they are located on the edge with a significant quantity of corporate network traffic passing through them, they are attractive targets to monitor network traffic and harvest credentials for the purposes of further targeting.
APT28 (Fancy BEAR, Pawn Storm, Sofacy, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored threat actor group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage operations against targeted entities for the purposes of intelligence gathering and hack and leak/Information Operations (IO).
NCSC Malware Report