Alert essentials:
A 6-year-old Cisco vulnerability is being used in a router malware attack that exfiltrates network data and opens a backdoor. If you maintain a Cisco router using firmware: C5350- ISM/ Version 12.3(6), deploy the patch or apply a mitigation for Cisco Bug CSCve54313 immediately.

Email Team

Detailed threat description:
Jaguar Tooth is custom malware being used by the Russian group APT28 to target Cisco Routers running older firmware. The malware exports device and network information via TFTP and creates an unauthenticated backdoor on the device.

In July 2017 Cisco patched a buffer overflow in an SNMP object identifier on routers using the IOS and IOS XE operating systems. Without the patch, overflowing the memory buffer with a few additional bytes allows bad actors to write shellcode in the router’s memory. The severity of this vulnerability is High because a successful attack requires the threat actor have already obtained the SNMP read-only community string for the targeted system. The device can also be configured remotely by modifying variables that the SNMP agent allows.

Impacts on healthcare organizations
Jaguar Tooth results in remote code execution. RCE allows a threat actor to execute their malicious code across the internet to targets on remote networks. With the right skillset, a bad actor can completely take over a remote target.

A successful threat actor can run any code he or she chooses during a Remote Code Execution. Configuration on critical systems could be altered or taken offline. Files and patient data could be downloaded and used for espionage or identity theft. The bad actor can create a “backdoor” in the network that will allow them access at a future date. Taking the systems offline or making them otherwise unavailable is often the goal of the attack and that outcome would compromise patient care.

Affected products / versions

  • Cisco IOS routers running firmware: C5350-ISM/ Version 12.3(6)
  • All versions of SNMP: Versions 1, 2c, and 3

CVEs

  • CVE-2017-6742 / Cisco Bug ID: CSCve5431

Recommendations

Engineering recommendations:

  • All Cisco admins should upgrade their routers to the latest firmware to mitigate these attacks
  • Administrators are advised to allow only trusted users to have SNMP access on an affected syste
  • Administrators are also advised to monitor affected systems by using the “show snmp host” command in the CLI
  • Switch from SNMP to NETCONF/RESTCONF on public routers for remote management, as it offers more robust security and functionality
  • Disable SNMP v2 or older and Telnet on routers

Leadership / program recommendations:

  • If a device is suspected to be compromised, revoke all keys and verify the device integrity using Cisco’s Software Integrity Assurance guide

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: