[ If your network is Cisco-based, please review the attached. Determine whether devices are running current code and patch as necessary. SNMP configurations are frequently left with defaults making reconnaissance information available to be slurped down easily from every network switch and router. – Robert ]
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) released a Joint Advisory titled APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers.
NYSIC CAU Analyst Note: The Joint Advisory is attached for your convenience but is also located here: hxxps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 . The advisory provides details of tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of CISCO routers. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, Tsar Team, and Sofacy) is a highly skilled threat actor that is almost certainly linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. The group has been operational since at least 2004 and conducts espionage against targeted entities for both intelligence gathering and hack and leak/Information Operations (IO).
TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.
Author: NCSC, NSA, CISA, FBI
This information has been forwarded by NYSIC to:
NYSIC CAU Contacts – CPWG
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
NYSIC CAU Contacts – Critical Infrastructure Partners: All
NYSIC CAU Contacts – Private
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.
JA-APT28-exploits-known-vulnerability.pdf