Russian cyber spy group APT28 backdoors Cisco routers via SNMP

APT28, the hacking arm of Russia’s GRU military intelligence agency has been backdooring Cisco routers by exploiting a remote code execution vulnerability in the Cisco IOS implementation of the simple network management protocol (SNMP), according to a statement by Western security agencies. The malware deployed on compromised routers patches the router’s authentication mechanism to always accept any password for any local user.

“In 2021, APT28 used infrastructure to masquerade simple network management protocol (SNMP) access into Cisco routers worldwide,” the UK National Cyber Security Centre (NCSC) said in a joint advisory with the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US Federal Bureau of Investigation (FBI). “This included a small number based in Europe, US government institutions, and approximately 250 Ukrainian victims.”

Weak or stolen SNMP credentials allow exploitation

The vulnerability exploited by APT28 is an old one: CVE-2017-6742. It is a buffer overflow in an SNMP object identifier (OID) called alpsRemPeerConnLocalPort on Cisco routers running the IOS and IOS XE operating systems. By attaching additional bytes to this OID, the stack-based memory buffer is overflowed and shellcode can be written in the router’s memory.

This vulnerability is one of several SNMP flaws that Cisco patched on June 29, 2017, and its exploitation requires an attacker to be able to access the vulnerable SNMP OID. For this, they first need to know the SNMP read-only credential, but these are not always hard to find.

The SNMP protocol can be used by an SNMP management tool to read device configuration data and parameters stored internally in a management information base (MIB). The device can also be configured remotely by modifying variables that the SNMP agent allows. These operations are achieved with the “get” and “set” commands and read and write access to the data is controlled through passwords known as community strings.

By default, the community string that allows read access to the MIB is called “public” and the one that allows write access is called “private.” Many device manufacturers ship devices with these default strings but they can be changed by device administrators and it’s highly recommended to do so. Over the years, default SNMP read-only credentials have been abused in different ways, for example in DDoS amplification attacks or to obtain sensitive data about devices — also known as SNMP leaks. In some cases, however, the problems have been more serious, with insecure implementations found in hundreds of thousands of devices that accepted any value for the read and write community strings.

Attackers have often already gained some level of access

Moreover, communications over SNMP version 2c and version 1 are not encrypted and can be read if intercepted, including the transmitted community string. According to the NCSC advisory, the compromised routers were using SNMP 2c. Routers with SNMP v3 are also vulnerable, but to exploit the flaw in this version of the protocol the attacker would need to know user credentials for the affected system.

Researchers from Cisco Talos, the company’s cybersecurity and incident response arm, have also analyzed this APT28 campaign and other similar attacks and noted that attackers often already have some level of access to the network before performing such attacks, which might give them access to credentials and a whitelisted position.

“In other incidents, we have observed well-positioned adversaries with pre-existing access to internal environments targeting TACACS+/RADIUS servers to obtain credentials,” the Talos researchers said in a blog post. “This gives them the benefit of understanding the controls enforced by the credential server, as well as allowing their traffic to look ‘normal’ by using jump servers and employing other techniques that a typical network administrator would use.”

The Jaguar Tooth backdoor

In some of the APT28 attacks exploiting CVE-2017-6742, the attackers deployed an in-memory backdoor that NCSC and its partners dubbed Jaguar Tooth. This malicious code is not persistent, meaning it doesn’t survive device reboots, but that doesn’t mean much in the case of routers that are not rebooted very often and can even have power backup to ensure a high uptime. Also, attackers can always reinfect the device if it does get rebooted.

Jaguar Tooth has two major capabilities. Firstly, it acts as an authentication backdoor because it modifies the askpassword and ask_md5secret functions of the operating system to always return true without actually checking the provided password. This allows attackers to access the device via Telnet or physical sessions as any system user.

Secondly, Jaguar Tooth collects information about the device and the network by issuing IOS CLI commands, including the routing table, IP addresses listed in the ARP cache, available network interfaces, and more, and then sends this information back to the attackers using the TFTP protocol.

“Jaguar Tooth has been observed being deployed via multiple SNMP exploit packets,” NCSC said in its analysis, which includes YARA and Snort IDS detection and scanning rules. “Whilst the payloads deployed are basic, combined with the exploit this malware is assessed to be of low to medium sophistication.”

Mitigations for the Cisco router vulnerability

Cisco released patched IOS and IOS XE firmware for the affected router models. The issue is the use of second-hand and end-of-life devices, especially high-end routers, is common around the world, and normally only customers with valid licenses and service contracts can download software upgrades. This might explain why attackers were still able to find routers vulnerable to this issue four years later. The Cisco advisory notes that customers without active service contracts can still contact the Cisco Technical Assistance Center (TAC) and provide the device serial number with a link to the advisory to obtain a free software update.

Additionally, the advisory contains instructions on how device administrators can disable access completely to the vulnerable SNMP MIBs as a workaround in the absence of a patch. Furthermore, the company advises customers to use more modern network management protocols instead of SNMP, such as NETCONF (network configuration protocol) and RESTCONF, which run over SSH and HTTPS respectively. Both provide strong encryption and authentication.

“Our recommendations are to select complex passwords and community strings, to utilize multifactor authentication where possible, to require encryption when configuring and monitoring devices, and to lockdown and aggressively monitor credential systems like TACACS+ and any jump hosts,” the Cisco Talos researchers said.