CyberSecOp.com

View Original

Russian Cyber Spy Group APT28 Backdoors Cisco Routers via SNMP

Russian-aligned cyber groups are seeking to target Western infrastructure, including Russian cyber spy group APT28 backdoors Cisco routers via SNMP

The UK's National Cyber Security Centre (NCSC) has warned that Russian-aligned cyber groups are seeking to target critical infrastructure in the West. The NCSC said that these groups are motivated more by ideology than by money, and that they pose a potential risk to crucial infrastructure systems in Western countries, especially those that are "poorly protected."

The NCSC said that the groups often focus on denial-of-service attacks, defacing websites and spreading misinformation. However, some of the groups have stated a desire to achieve a more disruptive and destructive impact against Western critical national infrastructure, including in the UK.

Without outside assistance, it is unlikely that the groups "have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term." However, the NCSC warns that the groups may become more effective over time, and that organizations "act now to manage the risk against successful future attacks."

The NCSC has issued a number of recommendations to organizations to help them protect themselves from these threats. These include:

  • Keeping software up to date

  • Using strong passwords and multi-factor authentication

  • Implementing a robust incident response plan

  • Raising awareness of cyber security threats among employees

The NCSC also encourages organizations to report any suspicious activity to the NCSC or their local law enforcement agency.

The NCSC's warning comes as the UK and its allies continue to impose sanctions on Russia in response to its invasion of Ukraine. The NCSC said that the sanctions are likely to further motivate Russian-aligned cyber groups to target Western infrastructure.

The NCSC's warning is a reminder that cyber security is a top priority for organizations of all sizes. By taking steps to protect themselves from cyber threats, organizations can help to mitigate the risk of disruption and damage.

In addition to the NCSC's warning, it has also been reported that Russian cyber spy group APT28 has been backdooring Cisco routers via SNMP. APT28, also known as Fancy Bear or Sednit, is a Russian state-sponsored hacking group that has been linked to a number of high-profile cyberattacks, including the 2016 Democratic National Committee email hack.

The backdoor in Cisco routers is believed to have been used by APT28 to gain access to networks and steal sensitive data. The backdoor was discovered by researchers at Cisco Talos, who have released a report on the vulnerability.

The vulnerability is a remote code execution (RCE) vulnerability that affects Cisco IOS 15.2 and earlier versions. The vulnerability can be exploited by an attacker who can send a specially crafted packet to a vulnerable router.

Cisco has released a patch for the vulnerability. Organizations that are using Cisco IOS 15.2 or earlier versions should apply the patch as soon as possible.

The discovery of the backdoor in Cisco routers is a reminder that cyber threats are constantly evolving. Organizations need to be aware of the latest threats and take steps to protect themselves.

This vulnerability is one of several SNMP flaws that Cisco patched on June 29, 2017. Its exploitation requires an attacker to be able to access the vulnerable SNMP OID. For this, they first need to know the SNMP read-only credential, but these are not always hard to find.

Here are some tips for protecting your Cisco routers from this vulnerability:

  • Keep your software up to date. Cisco has released a patch for this vulnerability. Organizations that are using Cisco IOS 15.2 or earlier versions should apply the patch as soon as possible.

  • Use strong passwords and multi-factor authentication. Make sure that your SNMP credentials are strong and that you are using multi-factor authentication.

  • Implement a robust incident response plan. Have a plan in place in case your network is compromised. This plan should include steps for containing the breach, notifying affected parties, and recovering from the attack.

  • Raise awareness of cyber security threats among employees. Make sure that your employees are aware of the latest cyber threats and how to protect themselves.

In conclusion, the discovery of the backdoor in Cisco routers is a reminder that cyber threats are constantly evolving. Organizations need to be aware of the latest threats and take steps to protect themselves. By taking steps to protect yourself from cyber threats, you can help to mitigate the risk of disruption and damage.