Hackers using flaw in Cisco switches to attack
Security researchers have warned that hackers are using badly-configured Cisco switches to gain entry into the infrastructure of organisations worldwide.
According to a blog post by the Cisco Talos team threat actors have leveraged a protocol misuse issue in the Cisco Smart Install Client.
They added that they have observed several incidents in multiple countries, including some specifically targeting critical infrastructure.
The team said that some of these attacks are believed to be associated with nation-state actors, such as those described in US CERT’s recent alert. The alert warned that “Russian government cyber-actors” have managed to infiltrate organisations in the US energy grid.
The problem centres on the Cisco Smart Install Client, which is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches.
“The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands,” said researchers.
They added that while this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.
Talos managed to identify that more than 168,000 systems are potentially exposed via the Cisco Smart Install Client.
“This is an improvement from the reported numbers in 2016, when fellow cyber security firm Tenable reported observing 251,000 exposed Cisco Smart Install Clients. There may be variations in methodology between the scans, but this still represents a substantial reduction in available attack surfaces” said researchers.
Source | scmagazineuk