A highly active and proficient Russian threat group known for going after high level targets is exploiting an old, known vulnerability in some Cisco routers to deploy malware known as Jaguar Tooth to install a backdoor.
The attacks have targeted government agencies in the United States and Europe, and U.S. and U.K. intelligence and law enforcement agencies on Tuesday released a joint advisory on the campaigns. The group behind the attacks is APT28, which is also known as Fancy Bear and Strontium, a Russian threat actor that is among the more notorious and active groups on the scene.
The vulnerability (CVE-2017-6742) that the group is targeting was disclosed in 2017 and Cisco released a fix for it in June of that year. The bug affected all current versions of IOS and IOS XE at the time the fix was released and APT28 has been targeting routers that have not been updated, exploiting the vulnerability and installing the Jaguar Tooth malware. The malware is not persistent, but it does enable the attackers to install a backdoor for future access.
“It enables unauthenticated backdoor access by patching Cisco IOS authentication routines. This grants access to existing local accounts without checking the provided password, when connecting via Telnet or physical session,” the description of the malware from the National Cyber Security Center in the U.K. says.
“Jaguar Tooth modifies the system’s authentication process, allowing unauthenticated access to any local account for any provided password via Telnet and physical sessions. This is achieved by patching askpassword and ask_md5secret to always return true without checking the provided password.”
The specific vulnerability that this campaign targets is a stack buffer overflow that enables an attacker to gain remote code execution.
“Jaguar Tooth is deployed by writing custom shellcode to memory which can be used to write an arbitrary 4-byte value to any specified address. This shellcode is then called repeatedly to incrementally write Jaguar Tooth into memory,” the NCSC advisory says.
“Once the Jaguar Tooth payloads have been copied into memory, they are individually executed by overflowing the return address of the vulnerable function with their location in memory.”
The fix for this flaw has been available since June 2017, but some organizations don’t update routers on a regular basis, as they’re integral to the network’s core functionality and taking them offline to install updates can be disruptive. Cisco’s Talos team has been investigating these attacks as well, and urged organizations to install updated software if at all possible.
“Network infrastructure is built to last, and in today’s always-on world, it’s sometimes impossible to find a patch window. But recent reports – and our own investigations – show that it is critical to update both the hardware and the software that runs your network. This is true not just because patching eliminates known vulnerabilities, but upgrades also introduce new security capabilities and controls that weren’t previously available,” said Matt Olney of Cisco Talos.