icetray - Fotolia
Cisco has warned enterprise users of its routing and switching hardware to be on the alert for exploitation of a six-year-old vulnerability by nation-state threat actors linked to states such as Russia and China, after UK and US cyber agencies made a similar appeal.
Earlier this week, the UK’s National Cyber Security Centre (NCSC) and its American counterpart highlighted a campaign of malicious activity exploiting CVE-2017-6742, a Simple Network Management Protocol (SNMP) remote code execution (RCE) vulnerability in Cisco IOS and IOS XE software, affecting multiple devices.
This activity, attributed to APT28, a Russian intelligence-backed advanced persistent threat (APT) actor, has seen organisations in Europe and the US, and over 250 Ukrainian victims, attacked with Jaguar Tooth malware, a non-persistent malware targeting Cisco routers, which collects and steals device information and enables unauthenticated backdoor access.
“This malicious activity by APT28 presents a serious threat to organisations, and the UK and our US partners are committed to raising awareness of the tactics and techniques being deployed,” said NCSC operations director Paul Chichester.
“We strongly encourage network defenders to ensure the latest security updates are applied to their routers and to follow the other mitigation steps outlined in the advisory to prevent compromise.”
The networking kingpin said it was “deeply concerned” by the increase in these attacks, which its Talos threat intelligence team has been closely tracking.
Matt Olney, director of Talos threat intelligence and interdiction at Cisco, said that while network infrastructure of all types is bombarded with cyber attacks all the time, because of Cisco’s market dominance its hardware was particularly likely to be targeted, and that in this instance, APT-28 has been particularly successful in compromising infrastructure with out-of-date software, as have other state-backed threat actors.
Matt Olney, Talos, Cisco
“It is reasonable to conclude that any sufficiently capable national intelligence operation would develop and use the capability to compromise the communications infrastructure of their preferred targets,” wrote Olney.
“We have observed traffic manipulation, traffic copying, hidden configurations, router malware, infrastructure reconnaissance and active weakening of defences by adversaries operating on networking equipment. Given the variety of activities we have seen adversaries engage in, they have shown a very high level of comfort and expertise working within the confines of compromised networking equipment.
“Our assessment is clear – that national intelligence agencies and state-sponsored actors across the globe have attacked network infrastructure as a target of primary preference. Route/switch devices are stable, infrequently examined from a security perspective, often poorly patched and provide deep network visibility. They are the perfect target for an adversary looking to be both quiet and have access to important intelligence capability as well as a foothold in a preferred network,” he said.
Olney went on to share details of multiple highly sophisticated actor behaviours Cisco Talos has observed across different platforms, many of them at critical infrastructure facilities.
“We are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity make too many infrastructure devices easy prey. The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact,” he wrote.
Olney acknowledged that there were many operational realities that make it hard to maintain a truly secure network, however, given the risks to compromised networking hardware, he said it was important that these obstacles are removed.
“Regardless of the context, ageing infrastructure is a risk. Relying on out-of-date gear or utilising out-of-date protocols and technologies will eventually cost your organisation,” he said.
Read more about patch management
- Security is critical to SAP customers, and third-party tools can help seek out and monitor vulnerabilities in areas that SAP patches miss, such as custom code and access control.
- These 12 tools approach patching from different perspectives. Understanding their various approaches can help you find the right product for your needs.
- Some risks, like security vulnerabilities and system downtime, are obvious, others not so much. Good patch management also requires weighing the possible risks of patching.