State-sponsored Threat Actor Exploits SNMP Vulnerability in Cisco Routers

The UK National Cyber Security Centre (NCSC) along with the United States FBI, NSA and CISA have released a joint advisory describing a 2021 campaign exploiting a known SNMP vulnerability in Cisco IOS and Cisco IOS XE.

Threat ID:: CC-4303
Threat Severity:: Medium
Published:: 19 April 2023 4:38 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Cisco IOS

Cisco IOS XE

Threat details

Introduction

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) have released a joint advisory describing how state-sponsored threat actors (commonly tracked as APT28) successfully exploited Cisco routers during a 2021 campaign using a known Simple Network Management Protocol (SNMP) vulnerability (CVE-2017-6742).

CVE-2017-6742 was first disclosed in a Cisco security advisory in June 2017 and relates to a buffer overflow condition in the SNMP subsystem. Successful exploitation could allow an authenticated, remote attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload.

In the 2021 campaign detailed by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.

The NCSC have attributed the campaign to APT28, whom they assess as "almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165." This nation-state group are known to be highly skilled and have previously targeted organsiations throughout Europe and the US.

Remediation advice

Affected organisations are highly encouraged to review the NCSC's Joint Advisory and Cisco Security Advisory to apply the relevant patches.

The NCSC advise organisations who suspect their router may have been compromised to:

Follow Cisco advice for verifying the Cisco IOS image.
Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2017-6742

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. Cisco Bug IDs: CSCve54313.

Last edited: 19 April 2023 4:38 pm