Researchers in US and UK warn that Russian state sponsored APT28 hackers deploy ”Jaguar Tooth” custom malware on routers in order to obtain unauthorized access.
The APT28 threat group is known for a wide range of attacks and cyberespionage activities on European and US organizations and also for abusing zero-day exploits. According to Bleepingcomputer:
A joint report released today by the UK National Cyber Security Centre (NCSC), US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI details how the APT28 hackers have been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named ‘Jaguar Tooth.’
Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6)
What Is Jaguar Tooth Malware and How It Works
Hackers choose routers that run old firmware versions to inject the malware directly into their memory. Once installed, Jaguar Tooth exfiltrates data from the router and enables hackers with unauthenticated backdoor access. After it collects device information, it exfiltrates it over TFTP. The malware is deployed and executed by exploiting the patched SNMP vulnerability CVE-2017-6742.
The malware also creates a process named ‘Service Policy Lock’ that collects data from the Command Line Interface (CLI), namely for the following commands:
- show running-config
- show version
- reveal ip interface brief
- show arp
- indicate cdp neighbors
- show start
- indicate ip route
- show flash
Researchers` Recommendations
In order to mitigate these attacks, admins should first of all update the routers to the latest version. Further on they should switch from SNMP to NETCONF/RESTCONF on public routers for remote management, so they enhance security and functionality.
If they can`t avoid using SNMP, researchers recommend that admins configure allow and deny lists and restrict access to the SNMP interface on exposed routers.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
