Cisco routers are being targeted by custom Russian malware

Russian state-sponsored threat actors have built custom malware and are using it against old, unpatched Cisco IOS routers , a joint US-UK r...

Russian state-sponsored threat actors have built custom malware and are using it against old, unpatched Cisco IOS routers, a joint US-UK report has warned. 

The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a report in which they state that APT28, a group allegedly affiliated with the Russian General Staff Main Intelligence Directorate (GRU), developed a custom malware named “Jaguar Tooth”. 

This malware is capable of stealing sensitive data passing through the router, and allows threat actors unauthenticated backdoor access to the device.

Stealing data

The attackers would first scan for public Cisco routers using weak SNMP community strings, such as the commonly used “public” string, BleepingComputer reports. As per the publication, SNMP community strings are like “credentials that allow anyone who knows the configured string to query SNMP data on a device”. 

If they find a valid SNMP community string, the attackers will look to exploit CVE-2017-6742, a six-year-old vulnerability that allows for remote code execution. That allows them to install the Jaguar Tooth malware directly into the memory of Cisco routers. 

"Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6)," the advisory reads. "It includes functionality to collect device information, which it exfiltrates over TFTP, and enables unauthenticated backdoor access. It has been observed being deployed and executed via exploitation of the patched SNMP vulnerability CVE-2017-6742."

The malware will then create a new process called “Service Policy Lock” that gathers all the output from these Command Line Interface commands and harvests them using TFTP: 

  • show running-config
  • show version
  • show ip interface brief
  • show arp
  • show cdp neighbors
  • show start
  • show ip route
  • show flash

To address the problem, admins should update their Cisco routers’ firmware immediately. Furthermore, they can switch from SNMP to NETCONF/RESTCONF on public routers. If they can’t switch from SNMP, they should configure allow and deny lists to limit who can access the SNMP interface on internet-connected routers. Also, the community string should be changed to something stronger.

The advisory also says admins should disable SNMP v2 or Telnet.

 Via: BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/hdotTEl
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,188,Video,5,XIAOMI,13,YouTube - 9to5Google,187,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Cisco routers are being targeted by custom Russian malware
Cisco routers are being targeted by custom Russian malware
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/04/cisco-routers-are-being-targeted-by.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/04/cisco-routers-are-being-targeted-by.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy