latest news of the deep world

NSA and FBI Disclosed How APT28 Gang Hacked Cisco Unprotected Devices to Install Spyware Software

May 12, 2023
NSA and FBI Disclosed How APT28 Gang Hacked Cisco Unprotected Devices to Install Spyware Software

In a collaborative bulletin released by NCSC-UK, NSA, CISA, and FBI, details were provided on how the APT28 group took advantage of insecure routers in Cisco during 2021 to install tailored spyware on unpatched devices.

In 2021, the infamous hacking gang APT28, which also goes by such names as STRONTIUM, Fancy Bear, Sednit, and Sofacy, carried out a cyber campaign that involved emulating Simple Network Management Protocol (SNMP) access to Cisco routers on a global level.

The targets of this campaign were routers situated in government agencies located in Europe and the United States. The attack also had an impact on approximately 250 users around the world. APT28 is recognized as a highly sophisticated and persistent threat actor that has been linked to multiple cyber espionage operations and is suspected to have the support of a nation-state.

The Technical Aspect Behind the Cyber Attack

Hackers took advantage of the CVE-2017-6742 instability to download “Jaguar Tooth” malware on network devices, giving them unauthorized backdoor access and extracting sensitive information. This malware allowed unlawful entry to local accounts and collected information from CLI commands like “show running-config” and “show ip route”, sending it to the TFTP protocol.

The bulletin emphasizes the trend of authorities cyber criminals creating customized malware to proceed online espionage, pointing at the importance for strong cybersecurity measures and awareness of such attacks. Attackers find routers to be an attractive target due to their ability to view network traffic and extract data that enable further network access.

This makes it essential for administrators to address the vulnerabilities present in their as quickly as feasible, impacted gadgets. The professionals suggest that using NETCONF/RESTCONF instead of SNMP for remote administration will improve safety and accessibility. Additionally, CISA advises disabling SNMP v2 or Telnet on Cisco routers because such protocols can lead to the theft of unencrypted traffic credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *