APT28 Exploits Known Vulnerability on Cisco Routers - 20230419001¶
Overview¶
WASOC has observed a joint advisory from NCSC, NSA, CISA, and FBI that provides details of tactics, techniques, and procedures (TTPs) associated with APT28's exploitation of Cisco routers in 2021. By exploiting the vulnerability CVE-2017-6742, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide, including routers in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.
The WASOC requests WA Government agencies confirm with their network operators that unencrypted SNMP is only in use for monitoring, and has no ability to undertake administrative or privileged actions on network devices. Please inform the WASOC via the DGov Incident Reporting Portal (IRP) (using the vulnerability issue type) if there is any privileged access to unencrypted SNMP available on agency networks and the expected timeline for resolution if it is in use (target resolution should be 4-6 weeks maximum).
What is the vulnerability?¶
CVE-2017-6742 - CVSS v3 Base Score: 8.8
What is vulnerable?¶
These vulnerabilities affect all releases of Cisco IOS and IOS XE Software prior to the first fixed release and they affect all versions of SNMP-Versions 1, 2c, and 3.
Devices configured with any of the following MIBs are vulnerable:
- ADSL-LINE-MIB
- ALPS-MIB
- CISCO-ADSL-DMT-LINE-MIB
- CISCO-BSTUN-MIB
- CISCO-MAC-AUTH-BYPASS-MIB
- CISCO-SLB-EXT-MIB
- CISCO-VOICE-DNIS-MIB
- CISCO-VOICE-NUMBER-EXPANSION-MIB
- TN3270E-RT-MIB
To identify all vulnerable products and applicable fixes, please refer to Cisco Secuirty Advisory.
What has been observed?¶
WASOC has not observed any exploitation of any Cisco routers based on the CVE-2017-6742 in Western Australia.
Recommendation¶
Due to the report of active exploitation, it is strongly recommended to patch this vulnerability within 2-4 weeks across all affected platforms as per vendor instructions: CISCO