The US, UK authorities, as well as Cisco experts have warned that Russian “government” hackers from the APT28 group (also known as Fancy Bear, STRONTIUM, Sednit and Sofacy) are introducing a special malware, Jaguar Tooth, into Cisco IOS on the company’s routers, allowing them to gain access to devices without authentication.
A joint report on the issue was published by the UK’s National Cyber Security Center (NCSC), the US Cyber and Infrastructure Security Agency (CISA), the NSA and the FBI.
Experts report that Jaguar Tooth is embedded directly into the memory of Cisco routers with older firmware versions, using SNMP for this purpose. Once installed, the malware extracts information from the router and provides its operators with unauthorized backdoor access.
“Jaguar Tooth is a non-persistent malware targeting Cisco IOS routers running C5350-ISM firmware version 12.3(6),” NCSC warned. “The threat has the capability to collect device information, which is transmitted via TFTP, and provides backdoor access without authentication. Malware has been observed to be deployed and executed using the already patched SNMP vulnerability CVE-2017-6742.”
The mentioned vulnerability is an unauthenticated remote code execution bug for which a publicly available exploit has been available for a long time.
Having gained access to a Cisco router, the attackers “patch” its memory in order to install custom non-persistent Jaguar Tooth malware. As explained by the NCSC, this gives hackers access to existing local accounts without password verification (when connected via Telnet or a physical session).
Once infected, the malware creates a new process in the system called Service Policy Lock, which collects the output from the following CLI commands and transmits them via TFTP:
show the current configuration;
show version;
show ip interface brief;
show arp;
show cdp neighbors;
show start;
show IP route;
show flash.
Cisco is reminding administrators to keep their routers up to date with the latest firmware. In addition, experts advise switching from SNMP to NETCONF/RESTCONF for remote administration, as this will provide better security and functionality. The CISA also recommends disabling SNMP v2 or Telnet on Cisco routers, as these protocols can expose credentials from unencrypted traffic.
