U.S. and U.K. Alert on Russian Hackers Utilizing Cisco Router Vulnerabilities for Espionage

April 19, 2023
Network Security / Cyber Espionage

Cybersecurity and intelligence agencies from the U.S. and U.K. have issued a warning about Russian state-sponsored actors exploiting recently patched vulnerabilities in Cisco networking equipment for reconnaissance and malware deployment against specific targets. These intrusions occurred in 2021 and affected a limited number of entities across Europe, U.S. government agencies, and around 250 Ukrainian victims. The activity has been linked to the threat group APT28, also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, which is connected to the Russian General Staff Main Intelligence Directorate (GRU). The National Cyber Security Centre (NCSC) noted that APT28 gained access to vulnerable routers using default and weak SNMP community strings, as well as by exploiting CVE-2017-6742, a remote code execution vulnerability with a CVSS score of 8.8.

U.S. and U.K. Governments Alert on Russian Cyber Actors Exploiting Cisco Vulnerabilities

On April 19, 2023, cybersecurity and intelligence agencies from the United States and the United Kingdom issued a warning regarding the activities of Russian state-sponsored hackers. These actors have been identified as exploiting previously patched vulnerabilities in Cisco networking devices to facilitate espionage activities. The breaches reportedly occurred in 2021 and specifically targeted select institutions, including a limited number of entities across Europe, U.S. governmental bodies, and approximately 250 organizations in Ukraine.

The threat group associated with these incidents is known as APT28, also referred to by other designations such as Fancy Bear, Forest Blizzard (previously known as Strontium), FROZENLAKE, and Sofacy. This group operates under the auspices of the Russian General Staff Main Intelligence Directorate, commonly known as the GRU. According to the National Cyber Security Centre (NCSC), APT28 has a history of compromising vulnerable routers by leveraging default and weak SNMP community strings and taking advantage of specific remote code execution vulnerabilities, notably CVE-2017-6742.

CVE-2017-6742 carries a high Common Vulnerability Scoring System (CVSS) score of 8.8, indicating its severity and the potential impact of its exploitation. These vulnerabilities stem from buffer overflow conditions that could be manipulated to execute unauthorized code remotely. The NCSC’s findings highlight the critical need for organizations to regularly update and patch their networking infrastructure to mitigate risks related to such vulnerabilities.

The primary targets of these cyber intrusions included strategic entities in Europe, various branches of U.S. government, and a notable number of Ukrainian organizations. This suggests a calculated approach by the threat actors, aiming to extract sensitive information and possibly disrupt operations within these sectors. The relatively narrow focus on specific targets underlines a sophisticated tactical approach, typical of state-sponsored cyber operations.

In analyzing the tactics employed during these incursions, we can refer to the MITRE ATT&CK framework, which provides insights into the methodologies of adversaries. Potential tactics involved in these attacks likely included initial access through exploitation of vulnerabilities, followed by persistence mechanisms to maintain a foothold within the network. Once inside, the actors would be able to escalate privileges and conduct reconnaissance, gathering valuable intelligence from their compromised targets.

Given the evolving threat landscape, it is imperative for business owners to remain vigilant. Understanding the methods employed by adversaries can help organizations bolster their defenses and implement proactive measures. Investing in robust security strategies, regular system updates, and thorough monitoring can be essential components in mitigating the risks posed by targeted cyber threats.

As the cyber landscape continues to grow increasingly complex, timely information and awareness remain paramount. Organizations must cultivate an environment of security readiness, ensuring that their systems are fortified against potential exploits, particularly those posed by sophisticated nation-state actors.

Source link

Related Posts

Pakistani Hackers Deploy Linux Malware “Poseidon” to Target Indian Government Entities

April 19, 2023
Linux / Malware

The Pakistan-based advanced persistent threat (APT) group known as Transparent Tribe has exploited a two-factor authentication (2FA) tool utilized by Indian government agencies to introduce a new Linux backdoor dubbed Poseidon. According to Uptycs security researcher Tejaswini Sandapolla, “Poseidon serves as a second-stage malware payload linked to Transparent Tribe. It functions as a versatile backdoor, enabling attackers to perform a variety of malicious actions such as logging keystrokes, capturing screenshots, and managing system files remotely.” Transparent Tribe, also identified as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has a history of targeting Indian governmental bodies, military personnel, defense contractors, and educational institutions. This group frequently utilizes trojanized versions of legitimate software to carry out its attacks.

Large-Scale Campaign Exploits Kubernetes RBAC for Cryptocurrency Mining

In a recently uncovered attack campaign, Kubernetes (K8s) Role-Based Access Control (RBAC) vulnerabilities have been exploited to establish backdoors and deploy cryptocurrency miners. Cloud security firm Aqua reported that attackers utilized DaemonSets to commandeer resources within targeted K8s clusters. Dubbed “RBAC Buster,” the campaign has reportedly infiltrated 60 unprotected K8s clusters. The attack began with the exploitation of a misconfigured API server, followed by a search for competing miner malware, and the establishment of persistence through RBAC adjustments. Aqua noted that the attacker created a new ClusterRole with almost admin-level permissions and set up a ‘ServiceAccount’ named ‘kube-controller’ in the ‘kube-system’ namespace.