Unpatched Cisco IOS routers are being targeted by Russian state-backed threat actor APT28 to deploy ‘Jaguar Tooth’ malware by exploiting a vulnerability from 2017. The National Cyber Security Centre (NCSC) have published a malware analysis report investigating this non-persistent malware recently seen to be infecting Cisco IOS routers using firmware C5350-IS-M version 12.3(6). A joint advisory released by the NCSC, NSA, CISA (Cybersecurity and Infrastructure Security Agency), and FBI describe the attacks first seen in 2021 targeting victims across Europe and the US including approximately 250 Ukrainian victims. 

The high severity Cisco IOS router vulnerability exploited in these attacks is CVE-2017-6742, a Simple Network Management Protocol (SNMP) remote code execution vulnerability that was patched in June 2017. Because the SNMP allows for remote configurations by administrators, attackers can send a malicious SNMP packet to a vulnerable system by IPv4 or IPv6. For this to take place there must be weak community strings on the Cisco router such as the default ‘public’ settings which allow the attackers to easily send these packets. This vulnerability is a buffer overflow vulnerability that can be exploited by attackers through these crafted SNMP packets which can trigger remote code execution, leading to the attackers gaining full control of the vulnerable system, or triggering the system to reload. In these attacks by APT28, the SNMP packets deploy the Jaguar Tooth malware, which then gathers and exfiltrates device information over the trivial file transfer protocol (TFTP). 

The purpose of the Jaguar Tooth malware is to gather information from the vulnerable devices, which includes the MAC address, obtained through querying the address resolution protocol (ARP). Other device information is gathered through command line interface (CLI) commands, including discovery of the system network configuration and connected devices information. The Jaguar Tooth malware also creates an unauthenticated backdoor by modifying the authentication process of the system creating a successful bypass. As this vulnerability has already been patched by the vendor, the best way for organisations to protect themselves from these attacks is to update their routers to the latest firmware versions. Cisco also recommend that SNMP should not be used unless remote configuration is necessary to prevent attackers from gaining access to devices (instead they recommend using NETCONF and RESTCONF). In cases where SNMP must be enabled, allow and deny lists can be created for SNMP messages to prevent unauthorised users from accessing the router.