Security News > 2023 > April > Threat actor APT28 targets Cisco routers with an old vulnerability
Threat actor APT28 is exploiting an old vulnerability in Cisco routers using Simple Network Management Protocol versions 1, 2c and 3 to target the U.S., Europe and Ukraine.
The advisory states that in 2021, APT28 used malware to exploit an SNMP vulnerability, known as CVE-2017-6742, that was reported and patched on June 29, 2017, by Cisco.
The vulnerability is triggered to write the Jaguar Tooth code into the memory of targeted Cisco Internetworking Operating System routers before being executed.
APT28 is a threat actor that has been active since 2004; it also goes by the aliases Sofacy, Fancy Bear, Pawn Storm, Sednit, Tsar Team and Strontium.
APT28 targeted Cisco routers in Europe, U.S. government institutions and approximately 250 Ukrainian victims, according to the report.
Cybersecurity company Talos, belonging to Cisco Systems Inc, reminds people that even well-chosen strings are transmitted in clear text if not using SNMP v3 and could be intercepted by a threat actor as SNMP older versions v1 and v2c lack proper encryption and authentication, while v3 relies on SSH and HTTPS protocols.
News URL
https://www.techrepublic.com/article/apt28-cisco-routers-security-vulnerability/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-07-17 | CVE-2017-6742 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco IOS The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. | 8.8 |