Cisco says it is “deeply concerned” state-sponsored actors conducting cyber espionage are behind a global spike in attacks on network infrastructure.
The communication technology giant’s warning comes at the same time a joint advisory from the UK’s National Cyber Security Centre, U.S. Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI details a campaign by the Russian hacking group APT28 to leverage a six-year-old vulnerability in unpatched Cisco routers.
The advisory outlines how APT28—a state actor linked to Moscow’s General Staff Main Intelligence Directorate (GRU), that is also known as Fancy Bear, STRONTIUM, the Sednit Gang, and Sofacy—was able to successfully exploit a known Simple Network Management Protocol (SNMP) vulnerability (CVE-2017-6742) in Cisco IOS and Cisco IOS XE Software.
This vulnerability was first disclosed in 2017 along with a patch. Cisco says the new APT28 campaign, dubbed “Jaguar Tooth,” is “an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity”.
Rob Joyce, director of the NSA’s cybersecurity division, highlighted the ongoing nature of the campaign, which has been observed since at least 2021 and urged defenders to identify and address unpatched versions of their Cisco routers.
“Reminder: Russian cyber actors are still very active. You should be taking every precaution to defend against their tradecraft,” Joyce wrote on Twitter while referencing the campaign. “This advisory contains actionable steps you can take to close down a known attack vector.”
In a separate threat advisory, Matt Olney, director of threat intelligence and interdiction at Cisco Talos, the vendor’s threat intelligence and research division, said they have observed traffic manipulation, traffic copying, hidden configurations, router malware, infrastructure reconnaissance and active weakening of defenses on networks attacked by Jaguar Tooth.
To Olney and others, the gains that Russian hackers managed to yield from a known, six-year router vulnerability underscores the great harm that can come when organizations fail to stay on top of their patch management.
“We are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity makes too many infrastructure devices easy prey,” Olney wrote Tuesday. “The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact.”
In its threat advisory, Cisco Talos added that network infrastructure was “built to last, and in today’s always-on world, it’s sometimes impossible to find a patch window”.
“But recent reports—and our own investigations—show that it is critical to update both the hardware and the software that runs your network. This is true not just because patching eliminates known vulnerabilities, but upgrades also introduce new security capabilities and controls that weren’t previously available.”
In 2021, APT28 used infrastructure to masquerade SNMP access into Cisco routers worldwide. This included a small number based in Europe, U.S. government institutions and approximately 250 Ukrainian victims.
SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.
A number of software tools can scan the entire network using SNMP, meaning poor configuration (such as using default or easy-to-guess community strings) can make a network susceptible to attacks.
It was these weak SNMP community strings, including the default “public” string, which allowed APT28 to gain access to router information.
The compromised routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, are sent unencrypted.
In a blog post, Omar Santos, Cisco Product Security Incident Response Team Security Research and Operations Principal Engineer, said for many years, the vendor had been advising customers to restrict SNMP access to trusted users only.
He said alternatives to SNMP, like NETCONF and RESTCONF, offered significant security advantages, including stronger authentication and encryption, more granular access control, better-structured data representation, and improved error handling and transaction support.
“While SNMP is still widely used for its simplicity and compatibility with older network devices, the security benefits of NETCONF and RESTCONF make them more suitable for modern network management,” he wrote.