Security researchers have warned that hackers are using badly-configured Cisco switches to gain entry into the infrastructure of organisations worldwide.
According to a blog post by the Cisco Talos team threat actors have leveraged a protocol misuse issue in the Cisco Smart Install Client.
They added that they have observed several incidents in multiple countries, including some specifically targeting critical infrastructure.
The team said that some of these attacks are believed to be associated with nation-state actors, such as those described in US CERT's recent alert. The alert warned that "Russian government cyber-actors" have managed to infiltrate organisations in the US energy grid.
The problem centres on the Cisco Smart Install Client, which is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches.
“The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands,” said researchers.
They added that while this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.
Talos managed to identify that more than 168,000 systems are potentially exposed via the Cisco Smart Install Client.
“This is an improvement from the reported numbers in 2016, when fellow cyber security firm Tenable reported observing 251,000 exposed Cisco Smart Install Clients. There may be variations in methodology between the scans, but this still represents a substantial reduction in available attack surfaces” said researchers.
The team saw a sharp increase in scanning for Cisco Smart Install Clients on or around 9 November, 2017.
“Because of the relatively static nature of perimeter systems, we do not expect a great deal of scanning associated with malicious activity. Still, it is noteworthy that we are seeing an increase in scanning for the Cisco Smart Install Client,” said researchers.
As a mitigation, researchers said that organisations can find out if they have a device that is impacted by executing a command on the switch.
“Additional indicators could be present if the logging levels are set to 6 (informational) or higher. These logs could include, but are not limited to, write operations via TFTP, execution of commands and device reloads,” said researchers.
They added that the simplest way to mitigate these issues is to run the command no vstack on the affected device.
“In order to secure and monitor perimeter devices, network administrators need to be especially vigilant. It can be easy to "set and forget" these devices, as they are typically highly stable and rarely changed. Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets,” added the researchers.
Javvad Malik, security advocate at AlienVault, told SC Media UK that critical infrastructure makes a tempting target for nation states.
“It is therefore important that companies, particularly critical infrastructure providers ensure all infrastructure is properly configured and patched. In addition, companies should have robust threat detection controls so that any attacks can be quickly identified, and appropriate remedial action taken,” he said.
Pasal Geenens, Radware EMEA security evangelist, told SC Media UK that if those protocols contain vulnerabilities or are left unprotected after the initial configuration phase, these are important exploit vectors that have been abused in the past by different IoT botnets such as Mirai variants, Satori, Hajime, BrickerBot and more.