How Fancy Bear Infected Routers Using an Old SNMP Bug

Russian APT28 hackers, also known as Fancy Bear and other aliases, have been targeting unpatched Cisco routers in a malware operation since 2021.

The UK National Cyber Security Centre (NCSC) and the US’ National Security Agency, Cybersecurity and Infrastructure Security Agency, and the FBI issued a joint advisory outlining the APT28 exploitation tactics. The attackers exploited CVE-2017-6742, a bug in the Simple Network Management Protocol (SNMP) implementation that came with Cisco’s IOS XE software at that time. Once they compromised a vulnerable router, the attackers used SNMP to obtain sensitive information about the network behind it.

The advisory warned that using default or easy-to-guess community strings could make a network susceptible to attacks since a number of software tools can scan the entire network using SNMP. APT28 gained access to router information by exploiting weak SNMP community strings, including the default “public.” They then sent additional SNMP commands to enumerate router interfaces and reconfigured compromised units to use the SNMP v2 protocol, which doesn’t support encryption.

The attackers deployed Jaguar Tooth malware to collect device information, exfiltrate data using the Trivial File Transfer Protocol, and enable unauthenticated backdoor access. Once in control of the router, the attackers could use the device’s command line interface to discover other devices on the network using the Address Resolution Protocol (ARP).

Cisco’s 2017 advisory didn’t name specific hardware devices subject to the vulnerability but instead listed nine vulnerable SNMP Management Information Bases (MIBs) and advised users to disable those MIBs to protect their routers.