Jaguar Tooth Malware deployed via exploitation of SNMP Vulnerability
On April 18, 2023, the Cybersecurity and Infrastructure Agency (CISA), the US Federal Bureau of Investigation (FBI) & UK National Cyber Security Centre released the cybersecurity advisory “APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers”.
The advisory covers details on the exploitation of SNMP vulnerabilities on unpatched Cisco Routers and deploying “Jaguar Tooth” malware in the year 2021. The vendor first disclosed this vulnerability in June 2017.
CVE-2017-6742 vulnerability is due to a buffer overflow condition in Simple Network Management Protocol (SNMP) subsystem. A malicious attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected system. SNMP is intended to allow network administrators to monitor and configure network devices remotely.
CVE-2017-6742 vulnerability falls under the High severity category; Multiple vulnerabilities have been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software. These vulnerabilities, affecting SNMP versions 1, 2c, and 3, could be exploited by an authenticated remote attacker to remotely execute code on an affected system or cause it to reload.
In order to exploit these vulnerabilities using SNMP Version 2c or earlier, the attacker needs to possess the SNMP read-only community string associated with the targeted system. On the other hand, to exploit these vulnerabilities using SNMP Version 3, the attacker must have valid user credentials for the affected system.
Devices enabling SNMP and not explicitly excluding the affected MIBs or OIDs should be considered vulnerable.
As mentioned by Cisco cybersecurity advisory, devices configured with any of the below MIBs are vulnerable:
Cisco IOS 12.0 through 12.4 and 15.0 through 15.6, and IOS XE 2.2 through 3.17 are the versions of Cisco IOS that are affected by CVE-2017-6742.
CISA also added the CVE-2017-6742 to their Known Exploited Vulnerability Catalog on April 19, 2023, as shown in the figure below.
Jaguar Tooth Malware
Jaguar Tooth is a type of malware designed to target Cisco IOS routers, and it operates without persistence. Its capabilities include automatically gathering device information, sent out via Trivial File Transfer Protocol (TFTP), and allowing unauthorized backdoor access without authentication.
Jaguar Tooth alters the authentication mechanism of the system, enabling unauthorized access to any local account regardless of the password provided, both through Telnet and physical sessions. The malware accomplishes this by patching the “askpassword” and “ask_md5secret” functions, overriding their normal behavior and causing them to always return “true” without verifying the provided password.
Additionally, the malware generates a new process known as “Service Policy Lock” that performs automated data collection and exfiltration through TFTP. The gathered information encompasses various device details, such as:
- Running configuration
- Firmware version
- Directory listing of flash memory
- Address Resolution Protocol (ARP) entries
- Routing tables
- Interface Information
- Connections to other routers
Jaguar Tooth’s primary objective is to collect and transmit a range of device information obtained through specific Cisco IOS Command Line Interface (CLI) commands. These commands include:
- show running-config
- show version
- show ip interface brief
- show arp
- show cdp neighbors
- show start
- show ip route
- show flash
Exposure to Cisco Routers
One of the online scanners points out that ~77k internet-exposed Cisco routers are utilizing SNMP. The figure below shows the geographical representation of exposed assets. While investigating the exposure, it was found that the highest number of exposed assets belong to Russia, the United States & India.
Note: The above image does not indicate vulnerable products but rather shows the geographical representation of potentially vulnerable products. The count of exposed assets might vary depending on the online scanner and the query used to narrow down exposure.
The vendor recommends that administrators restrict SNMP access on affected systems to trusted users only. Additionally, administrators are advised to monitor the affected systems using the “show SNMP host” command in the command-line interface (CLI).
It is recommended to patch the vulnerabilities on high priority – Patch Link.
If successfully exploited, the vulnerability could grant the attacker the ability to execute arbitrary code, resulting in full control over the affected system, or potentially lead to a system reload Hence urgent patching of the affected product is recommended.
This specific occurrence brings attention to “State Actors targeting vulnerable internet exposed devices for reconnaissance & cyber espionage purposes.” As the affected products are widely used in multiple state and private organizations, it is advised that administrators should focus on timely patching of vulnerabilities and avoiding exposure of critical assets over the internet.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Regular Audits, Vulnerability, and Pentesting exercises are vital in finding security loopholes that an attacker may exploit.
- To prevent unauthorized access to your router, it is advisable not to utilize SNMP unless it is necessary for remote device configuration or management.
- Continuous monitoring and logging can help in detecting network anomalies early.
- Keep track of advisories and alerts issued by vendors and state authorities.