Jaguar Tooth Malware Targeting Cisco Gear

Recent research has discovered a new malware targeting Cisco iOS devices called “Jaguar Tooth.” The malware collects device information and enables unauthenticated backdoor access.

It’s deployed via exploitation of the vulnerability CVE-2017-6742. This grants access to existing local accounts without checking the provided password. The malware creates a new process that collects and exfiltrates information.

The malware creates a process that automatically collects and exfiltrates data via TFTP. This includes data such as the running configuration, firmware version, directory listing of flash memory, network information, Address Resolution Protocol (ARP) tables, routing tables, interface data, and other connected routers.

The vulnerability enables the execution of Jaguar Tooth by overflowing the stack-based buffer and incrementally deploying the malware code over hundreds of iterations. Once deployed, the malware enables unauthenticated backdoor access by patching Cisco IOS authentication routines. Then Jaguar Tooth automatically collects device information and exfiltrates it over TFTP.

How Acreto can help mitigate this attack

Acreto is a cloud-based security solution that provides end-to-end security infrastructure. Acreto-OS has an inbuilt strong next-generation firewall that provides multiple levels of scanning, including IPS/IDS, DNS filtering, Web filtering, and much more. Ecosystems deliver a dedicated security infrastructure that can be deployed per application, per use-case, per project, or per third party. An Ecosystem inherently limits access only to users, devices, systems, and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS, and Data Centers.

Ecosystems can be configured as:

• Open → With inbound or outbound access from or to the Internet or a third-party

• Closed → Fully contained with access limited to Ecosystem members.

• Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Solution

Acreto has developed a process to secure even Internet-touching assets such as edge routers. With some minor configuration changes many organizations can prevent Internet-based threats from having access to their exposed Internet-touching devices such as routers or firewalls.

To leverage Acreto’s Threat protection capabilities for your infrastructure, follow the process below :

1. Connect LAN assets to Acreto via a vGW / IPsec / Wireguard tunnel
   Leverage one or more Ecosystems and Establish an encrypted tunnel to the Acreto Ecosystem using Acreto vGateway, which can establish a secure tunnel from within your network to Acreto.

2. Route all the traffic to/from the Internet through Acreto
   
   Direct all LAN traffic to the vGW / IPSec / Wireguard tunnel.

3. Direct all Internet-facing applications via the Acreto Ecosystem
   Use allocated IPs to direct all publicly-hosted applications through the Acreto Ecosystem security platform.

4. Eliminate Internet-exposed router attack surface with a routing statement
   By simply adding a specific (/32 or /128) route to the router for each Ecosystem that is utilized, the Internet attack surface of the router is immediately neutralized.

Technical Data

SNMP vulnerability

• Jaguar Tooth is deployed via exploitation of the patched SNMP vulnerability CVE-2017-6742

• The vulnerable function targeted by this exploit is reached using the SNMP Object Identifier (OID) 1.3.6.1.4.1.9.9.95.1.2.4.1.3

• This vulnerability causes a stack-based buffer to be overflowed, enabling control of the instruction pointer which can be used to gain remote code execution.

Unauthenticated backdoor

• Jaguar Tooth enables unauthenticated backdoor access by patching Cisco IOS authentication routines

• It grants access to existing local accounts without checking the provided password when connecting via Telnet or a physical session

• This is achieved by patching askpassword and ask_md5secret to always return true without checking the provided password.

Device information exfiltration

• The malware also creates a new process, called Service Policy Lock, that automatically collects information and exfiltrates it over TFTP.

• This includes device information such as the running configuration, firmware version, directory listing of flash memory, and network information including the Address Resolution Protocol (ARP) and routing tables, interfaces, and other connected routers.

• Jaguar Tooth collects and exfiltrates the information using specific Cisco IOS Command Line Interface (CLI) commands and Tcl commands, which are executed over TFTP.

Payload Execution

• Once written into memory, Jaguar Tooth payloads are executed by overflowing the return address of the vulnerable function with their location in memory.

• The registers that are controllable are those that are saved on the stack which is then restored in the function epilogue.