The National Security Agency, Cybersecurity and Infrastructure Security Agency, FBI and the U.K. National Cyber Security Centre have released a joint advisory to inform organizations of the tactics, techniques and procedures used by threat actor APT28 to exploit and gain access to Cisco routers.
APT28 deploys malware and performs reconnaissance of routers by exploiting the vulnerability CVE-2017-6742 and using default and weak Simple Network Management Protocol community strings, NSA said Tuesday.
According to the advisory, SNMP works to enable network administrators to configure and track network devices remotely. Threat actors can exploit this to gain access to sensitive network data.
The agencies called on organizations to perform mitigation measures, such as patching devices, avoiding the use of SNMP to prevent unauthorized access of routers, enforcing a strong password policy and using logging tools to record commands executed on network devices.
The advisory states that APT28 is also known as the Russian General Staff Main Intelligence Directorate (GRU) 85th Special Service Center military intelligence unit 26165, STRONTIUM, Fancy Bear, Pawn Storm, Sofacy and the Sednit Gang.