Jaguar Tooth Malware Targeting Cisco Gear
April 21st, 2023 |
Recent research has discovered a new malware targeting Cisco iOS devices called “Jaguar Tooth.” The malware collects device information and enables unauthenticated backdoor access.
It’s deployed via exploitation of the vulnerability CVE-2017-6742. This grants access to existing local accounts without checking the provided password. The malware creates a new process that collects and exfiltrates information.
The malware creates a process that automatically collects and exfiltrates data via TFTP. This includes data such as the running configuration, firmware version, directory listing of flash memory, network information, Address Resolution Protocol (ARP) tables, routing tables, interface data, and other connected routers.
The vulnerability enables the execution of Jaguar Tooth by overflowing the stack-based buffer and incrementally deploying the malware code over hundreds of iterations. Once deployed, the malware enables unauthenticated backdoor access by patching Cisco IOS authentication routines. Then Jaguar Tooth automatically collects device information and exfiltrates it over TFTP.
How Acreto can help mitigate this attack
Acreto is a cloud-based security solution that provides end-to-end security infrastructure. Acreto-OS has an inbuilt strong next-generation firewall that provides multiple levels of scanning, including IPS/IDS, DNS filtering, Web filtering, and much more. Ecosystems deliver a dedicated security infrastructure that can be deployed per application, per use-case, per project, or per third party. An Ecosystem inherently limits access only to users, devices, systems, and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS, and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members.
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Acreto has developed a process to secure even Internet-touching assets such as edge routers. With some minor configuration changes many organizations can prevent Internet-based threats from having access to their exposed Internet-touching devices such as routers or firewalls.
To leverage Acreto’s Threat protection capabilities for your infrastructure, follow the process below :
Connect LAN assets to Acreto via a vGW / IPsec / Wireguard tunnel
Leverage one or more Ecosystems and Establish an encrypted tunnel to the Acreto Ecosystem using Acreto vGateway, which can establish a secure tunnel from within your network to Acreto.
Route all the traffic to/from the Internet through Acreto
Direct all LAN traffic to the vGW / IPSec / Wireguard tunnel.
Direct all Internet-facing applications via the Acreto Ecosystem
Use allocated IPs to direct all publicly-hosted applications through the Acreto Ecosystem security platform.
Eliminate Internet-exposed router attack surface with a routing statement
By simply adding a specific (/32 or /128) route to the router for each Ecosystem that is utilized, the Internet attack surface of the router is immediately neutralized.
Jaguar Tooth is deployed via exploitation of the patched SNMP vulnerability CVE-2017-6742
The vulnerable function targeted by this exploit is reached using the SNMP Object Identifier (OID) 184.108.40.206.220.127.116.11.18.104.22.168.1.3
This vulnerability causes a stack-based buffer to be overflowed, enabling control of the instruction pointer which can be used to gain remote code execution.
Jaguar Tooth enables unauthenticated backdoor access by patching Cisco IOS authentication routines
It grants access to existing local accounts without checking the provided password when connecting via Telnet or a physical session
This is achieved by patching askpassword and ask_md5secret to always return true without checking the provided password.
Device information exfiltration
The malware also creates a new process, called Service Policy Lock, that automatically collects information and exfiltrates it over TFTP.
This includes device information such as the running configuration, firmware version, directory listing of flash memory, and network information including the Address Resolution Protocol (ARP) and routing tables, interfaces, and other connected routers.
Jaguar Tooth collects and exfiltrates the information using specific Cisco IOS Command Line Interface (CLI) commands and Tcl commands, which are executed over TFTP.
Once written into memory, Jaguar Tooth payloads are executed by overflowing the return address of the vulnerable function with their location in memory.
The registers that are controllable are those that are saved on the stack which is then restored in the function epilogue.
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.