Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
In a collaborative bulletin released by NCSC-UK, NSA, CISA, and FBI, details were provided on how the APT28 group took advantage of insecure routers in Cisco during 2021 to install tailored spyware on unpatched devices.
In 2021, the infamous hacking gang APT28, which also goes by such names as STRONTIUM, Fancy Bear, Sednit, and Sofacy, carried out a cyber campaign that involved emulating Simple Network Management Protocol (SNMP) access to Cisco routers on a global level.
The targets of this campaign were routers situated in government agencies located in Europe and the United States. The attack also had an impact on approximately 250 users around the world. APT28 is recognized as a highly sophisticated and persistent threat actor that has been linked to multiple cyber espionage operations and is suspected to have the support of a nation-state.
The Technical Aspect Behind the Cyber Attack
Hackers took advantage of the CVE-2017-6742 instability to download “Jaguar Tooth” malware on network devices, giving them unauthorized backdoor access and extracting sensitive information. This malware allowed unlawful entry to local accounts and collected information from CLI commands like “show running-config” and “show ip route”, sending it to the TFTP protocol.
The bulletin emphasizes the trend of authorities cyber criminals creating customized malware to proceed online espionage, pointing at the importance for strong cybersecurity measures and awareness of such attacks. Attackers find routers to be an attractive target due to their ability to view network traffic and extract data that enable further network access.
This makes it essential for administrators to address the vulnerabilities present in their as quickly as feasible, impacted gadgets. The professionals suggest that using NETCONF/RESTCONF instead of SNMP for remote administration will improve safety and accessibility. Additionally, CISA advises disabling SNMP v2 or Telnet on Cisco routers because such protocols can lead to the theft of unencrypted traffic credentials.