1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Cisco routers are being targeted by custom Russian malware

    From TechnologyDaily@1337:1/100 to All on Wed Apr 19 21:00:03 2023
    Cisco routers are being targeted by custom Russian malware

    Date:
    Wed, 19 Apr 2023 19:46:08 +0000

    Description:
    Admins are advised to update their Cisco routers' firmware ASAP.

    FULL STORY ======================================================================

    Russian state-sponsored threat actors have built custom malware and are using it against old, unpatched Cisco IOS routers , a joint US-UK report has
    warned.

    The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA),
    and the Federal Bureau of Investigation (FBI) released a report in which they state that APT28, a group allegedly affiliated with the Russian General Staff Main Intelligence Directorate (GRU), developed a custom malware named Jaguar Tooth.

    This malware is capable of stealing sensitive data passing through the
    router, and allows threat actors unauthenticated backdoor access to the device. Stealing data

    The attackers would first scan for public Cisco routers using weak SNMP community strings, such as the commonly used public string, BleepingComputer reports. As per the publication, SNMP community strings are like credentials that allow anyone who knows the configured string to query SNMP data on a device.

    If they find a valid SNMP community string, the attackers will look to
    exploit CVE-2017-6742, a six-year-old vulnerability that allows for remote code execution. That allows them to install the Jaguar Tooth malware directly into the memory of Cisco routers. Read more

    Cisco will not patch serious security hole in its old VPN routers



    Cisco fixes major security flaw affecting VPN routers



    Here's our list of the best ID theft protection around

    "Jaguar Tooth is non-persistent malware that targets Cisco IOS routers
    running firmware: C5350-ISM, Version 12.3(6)," the advisory reads. "It includes functionality to collect device information, which it exfiltrates over TFTP, and enables unauthenticated backdoor access. It has been observed being deployed and executed via exploitation of the patched SNMP
    vulnerability CVE-2017-6742."

    The malware will then create a new process called Service Policy Lock that gathers all the output from these Command Line Interface commands and
    harvests them using TFTP: show running-config show version show ip interface brief show arp show cdp neighbors show start show ip route show flash

    To address the problem, admins should update their Cisco routers firmware immediately. Furthermore, they can switch from SNMP to NETCONF/RESTCONF on public routers. If they cant switch from SNMP, they should configure allow
    and deny lists to limit who can access the SNMP interface on internet-connected routers. Also, the community string should be changed to something stronger.

    The advisory also says admins should disable SNMP v2 or Telnet. You might
    also want to check out our list of the best endpoint protection software available now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/cisco-routers-are-being-targeted-by-custom-russ ian-malware


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)