Security News > 2023 > April > Russian snoops just love invading unpatched Cisco gear, America and UK warn

The UK and US governments have sounded the alarm on Russian intelligence targeting unpatched Cisco routers to deploy malware and carry out surveillance.

In a joint advisory issued Tuesday, the UK National Cyber Security Centre, the NSA, America's Cybersecurity and Infrastructure Security Agency and the FBI provided details about how Russia's APT28 - aka FancyBear and Stronium - exploited an old vulnerability in unpatched Cisco routers in 2021 to collect network information belonging to European and US government organizations, and about 250 Ukrainian victims.

In a separate warning, also issued on Tuesday, Cisco said it's not just Russian spies attempting to attack network infrastructure - and it's not just Cisco gear they're going after.

"Cisco is deeply concerned by an increase in the rate of high-sophistication attacks on network infrastructure - that we have observed and have seen corroborated by numerous reports issued by various intelligence organizations - indicating state-sponsored actors are targeting routers and firewalls globally," Cisco Talos Threat Intelligence Director Matt Olney said.

In the 2021 attacks, the Kremlin spies used the simple network management protocol to access Cisco routers worldwide.

After exploiting weak SNMP community strings to access routers, the attackers deployed Jaguar Tooth malware [PDF], which collected more device information and sent it back to the intruders over trivial file transfer protocol, and also enabled unauthenticated backdoor access to the network so that Moscow's snoops could maintain persistence.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/04/18/uk_us_apt28_cisco_routers/