While patching vulnerabilities is challenging for defenders, exploiting vulnerabilities left unpatched is not so challenging for threat actors. A new joint advisory published by the NCSC, NSA, CISA, and FBI, APT28 Exploits Known Vulnerability To Carry Out Reconnaissance and Deploy Malware on Cisco Routers provides details of known behaviors associated with APT28's (a.k.a., Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team) exploitation of a five-year old SNMP Remote Code Execution Vulnerability impacting Cisco routers in 2021.
According to the report, APT28 compromised Cisco routers worldwide by exploiting vulnerability CVE-2017-6742 to perform reconnaissance and deploy malware across routers in Europe, U.S. government institutions, and approximately 250 Ukrainian victims. While CVE-2017-6742 is not on CISA’s Known Exploited Vulnerabilities (KEV) Catalog - at the time of this posting, there are three related vulnerabilities that were described in Cisco’s original advisory that were added to the KEV on March 3, 2022, including 2017-6740, 2017-6743, and 2017-6744.
The advisory highlights continued interest of threat actors, including state-sponsored actors, in using old vulnerabilities to compromise devices left unpatched. It further emphasizes the importance for organizations to keep current on patching and the value in verifying patch status for known exploited vulnerabilities. CISA encourages personnel to review NCSC’s Jaguar Tooth malware analysis report for detailed TTPs and indicators of compromise which may help detect APT28 activity. For more information on APT28 activity, see the advisories Russian State-sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.
Members who use the impacted Cisco devices are highly encouraged to keep them up-to-date and verify patch status for old vulnerabilities. The advisory includes other mitigations and guidance on what to do if you think your Cisco router has been compromised. For more details, visit CISA.