CISA Alert AA23-108A – APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers.
This is a CISA Cybersecurity Alert.
ID number Alpha Alpha Two Three tack One Zero Eight Alpha.
Original release date – April 18th, 2023.
The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021.
In 2021, APT28 used infrastructure to masquerade via Simple Network Management protocol, SNMP, in order to access Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.
SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.
A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks. The compromised routers were configured to accept SNMP version 2 requests. SNMP v2 does not support encryption and so all data, including community strings, is sent unencrypted.
The alert documentation linked in the show notes includes a full MITRE ATT&CK mapping of APT28’s actions and activities.
NCSC, NSA, CISA, and FBI encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of similar incidents. The alert documentation linked in the show notes includes additional technical details, IOCs, mitigations, and response recommendations.
To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at email@example.com, call (888) 282-0870, or report incidents to your local FBI field office.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.