Russian snoops just love invading unpatched Cisco gear, America and UK warn

The UK and US governments have sounded the alarm on Russian intelligence targeting unpatched Cisco routers to deploy malware and carry out surveillance.

In a joint advisory issued Tuesday, the UK National Cyber Security Centre (NCSC), the NSA, America's Cybersecurity and Infrastructure Security Agency (CISA) and the FBI provided details about how Russia's APT28 — aka FancyBear and Stronium — exploited an old vulnerability in unpatched Cisco routers in 2021 to collect network information belonging to European and US government organizations, and about 250 Ukrainian victims.

APT28 is understood to be a key cog in the Russian military intelligence machine: it's a GRU-linked crew responsible for, among other things, the 2015 theft of data from the German parliament, the US Democratic National Committee ransacking a year later, the attempted intrusion into the UK Organisation for the Prohibition of Chemical Weapons in April 2018, and a slew of more recent cyberattacks against Ukraine since the Russian invasion began.

"TTPs in this advisory may still be used against vulnerable Cisco devices," the governments' advisory said, referring to the tactics, techniques, and procedures employed by Russia to compromise the networking gear. 

To be clear: this is a nearly six-year-old vulnerability that Cisco disclosed and fixed in 2017. The networking vendor updated its security advisory when it became aware of in-the-wild exploits of the now-patched bug.

In a separate warning, also issued on Tuesday, Cisco said it's not just Russian spies attempting to attack network infrastructure — and it's not just Cisco gear they're going after.

"Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure — that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations — indicating state-sponsored actors are targeting routers and firewalls globally," Cisco Talos Threat Intelligence Director Matt Olney said.

In an interview with The Register, JJ Cummings, Cisco Talos national intelligence principal, said the IT giant's threat hunting team has seen this type of router targeting being used for espionage, and to support more descriptive attacks, much more recently than 2021.

Network operators are incentivized ... to maintain a high-availability, operational environment. We're seeing devices go [unpatched] for years at a time

"Network operators are, frankly, incentivized, and their whole goal is to maintain a high-availability, operational environment for the rest of their organization," Cummings said. "When they're incentivized to do this, we're seeing cases where devices go untouched for years at a time, or even longer potentially, all in the name of maintaining that uptime and that availability."

That long-term availability comes at the cost of unpatched gear: updates are not applied to avoid downtime or any interruption of business. "The security of that device isn't always front of mind," Cummings said.

Abusing SNMP with a 'Jaguar Tooth' bite

In the 2021 attacks, the Kremlin spies used the simple network management protocol (SNMP) to access Cisco routers worldwide. This protocol is normally used by network administrators to monitor and configure devices remotely. As was the case with Russia, it can be wielded against vulnerable and poorly protected equipment to infiltrate organizations' networks.

"A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks," the NCSC said. "Weak SNMP community strings, including the default 'public', allowed APT28 to gain access to router information."

After exploiting weak SNMP community strings to access routers, the attackers deployed Jaguar Tooth malware [PDF], which collected more device information and sent it back to the intruders over trivial file transfer protocol (TFTP), and also enabled unauthenticated backdoor access to the network so that Moscow's snoops could maintain persistence.

• How do you hunt cybersecurity threats in a war zone? Like this
• Google: Kremlin-backed goons spread Android malware disguised as pro-Ukraine app
• April Patch Tuesday: Ransomware gangs already exploiting this Windows bug
• FBI: How fake Xi cops prey on Chinese nationals in the US

Talos, for its part, said Cisco's not the only device maker in nation-state spies' crosshairs. Its team spotted one scanning tool targeting "almost 20" router and switch manufacturers, Olney noted. 

Plus, Chinese spies are just as likely as their Russian counterparts to target network equipment, the Talos alert added, citing a CISA warning from June 2022.

"It is reasonable to conclude that any sufficiently capable national intelligence operation would develop and use the capability to compromise the communications infrastructure of their preferred targets," Olney wrote.

"We have observed traffic manipulation, traffic copying, hidden configurations, router malware, infrastructure reconnaissance and active weakening of defenses by adversaries operating on networking equipment," he continued. "Given the variety of activities we have seen adversaries engage in, they have shown a very high level of comfort and expertise working within the confines of compromised networking equipment." ®