Heimdal
Home > Cybersecurity News

APT28 Russian Hackers Inject Routers with Jaguar Tooth Custom Malware

The Malware Exfiltrates Information and Provides Unauthenticated Access to the Device.

Last updated on April 19, 2023

article featured image

Contents:

Researchers in US and UK warn that Russian state sponsored APT28 hackers deploy ”Jaguar Tooth” custom malware on routers in order to obtain unauthorized access.

The APT28 threat group is known for a wide range of attacks and cyberespionage activities on European and US organizations and also for abusing zero-day exploits. According to Bleepingcomputer:

A joint report released today by the UK National Cyber Security Centre (NCSC), US Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI details how the APT28 hackers have been exploiting an old SNMP flaw on Cisco IOS routers to deploy a custom malware named ‘Jaguar Tooth.’

Jaguar Tooth is non-persistent malware that targets Cisco IOS routers running firmware: C5350-ISM, Version 12.3(6)

Source

What Is Jaguar Tooth Malware and How It Works

Hackers choose routers that run old firmware versions to inject the malware directly into their memory. Once installed, Jaguar Tooth exfiltrates data from the router and enables hackers with unauthenticated backdoor access. After it collects device information, it exfiltrates it over TFTP. The malware is deployed and executed by exploiting the patched SNMP vulnerability CVE-2017-6742.

The malware also creates a process named ‘Service Policy Lock’ that collects data from the Command Line Interface (CLI), namely for the following commands:

  • show running-config
  • show version
  • reveal ip interface brief
  • show arp
  • indicate cdp neighbors
  • show start
  • indicate ip route
  • show flash

Researchers` Recommendations

In order to mitigate these attacks, admins should first of all update the routers to the latest version. Further on they should switch from SNMP to NETCONF/RESTCONF on public routers for remote management, so they enhance security and functionality.

If they can`t avoid using SNMP, researchers recommend that admins configure allow and deny lists and restrict access to the SNMP interface on exposed routers.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

SASE 101: Understanding the Fundamentals of Secure Access Service EdgeWhat Is Malware? Definition, Types and ProtectionWhat Is Cyberespionage? Tactics, Targets, and Prevention TipsWhat Is a CVE? Common Vulnerabilities and Exposures ExplainedAdvanced Persistent Threat (APT): What It Is and How to Protect against ItDefining Zero-Day Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V