CyberWire Daily - CISA Alert AA23-108A – APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers.
Episode Date: April 20, 2023The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021. AA23-108A Alert, Tec...hnical Details, and Mitigations Malware Analysis Report Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 18th, 2023.
The UK National Cybersecurity Centre, NCSC, NSA, CISA and FBI are releasing this joint advisory to provide TTPs associated with APT28's infrastructure to masquerade via Simple Network Management Protocol, SNMP, in order to access Cisco routers worldwide.
This included a small number based in Europe, U.S. government institutions, and approximately 250 Ukrainian victims. SNMP is designed to allow network administrators to monitor and configure network devices remotely,
but it can also be misused to obtain sensitive network information and, if vulnerable, exploit
devices to penetrate a network.
A number of software tools can scan the entire network using SNMP, meaning that poor configurations
such as using default or easy-to-guess community strings can make a network susceptible to
attacks.
The compromised routers were configured to accept SNMPv2 requests.
SNMPv2 does not support encryption and so all data, including community strings, is sent unencrypted.
The alert documentation linked in the show notes includes a full MITRE ATT&CK mapping of APT28's actions and activities.
NCSC, NSA, CISA, and FBI encourage organizations to implement the recommendations in the mitigation section of this alert to reduce the likelihood and impact of similar incidents. The alert
documentation linked in the show notes includes additional technical details, IOCs, mitigations,
and response recommendations. To report incidents and anomalous activity or to request incident Thank you. and Infrastructure Security Agency and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov
to read the full report,
which may include additional details,
links, and illustrations.
A link to this report
can be found in the show notes.
This has been a CISA Cybersecurity Alert.