CISA Alert AA23-108A – APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers.

CyberWire Daily

N2K Networks, Inc.

Technology, Daily News, News, Tech News

4.8 • 1.1K Ratings

🗓️ 20 April 2023

⏱️ 3 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021. AA23-108A Alert, Technical Details, and Mitigations Malware Analysis Report Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the CyberWire Network, powered by N2K.
0:07.0	This is a CISA Cybersecurity Alert.
0:14.0	ID number Alpha Alpha 23 TAC 108 Alpha.
0:20.0	Original release date, April 18th, 2023.
0:25.0	The UK National Cybersecurity Center, NCSC, NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated
0:36.0	with APT 28's exploitation of Cisco routers in 2021.
0:41.2	In 2021, APT28 used infrastructure to masquerade via simple network management protocol
0:47.0	SNMP in order to access Cisco routers worldwide.
0:51.8	This included a small number based in Europe, US government
0:54.9	institutions, and approximately 250 Ukrainian victims.
0:59.4	SNMP is designed to allow network administrators to monitor and configure network devices remotely,
1:04.8	but it can also be misused to obtain sensitive network information and, if vulnerable,
1:10.0	exploit devices to penetrate a network.
1:12.0	A number of software tools can scan the exploit devices to penetrate a network.
1:17.1	A number of software tools can scan the entire network using SNMP, meaning that poor configurations such as using default or easy to guess community strings
1:21.9	can make a network susceptible to attacks.
1:25.4	The compromised routers were configured to accept SNMP version 2 requests.
1:30.1	SNMP version 2 does not support encryption and so all data, including community strings, is sent unencrypted.
1:37.0	The alert documentation linked in the show notes includes a full mitre attack mapping of APT 28's actions and activities.
1:45.0	NCSC, NSA, CISA, and FBI encourage organizations to implement the recommendations in the
1:50.3	mitigation section of this alert to reduce the likelihood and impact of similar incidents.
1:55.0	The alert documentation linked in the show notes includes additional technical details, IOCs, mitigations, and response recommendations.
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.