Cyber-Attacks on US Critical Infrastructure Linked to Cisco Switch Flaw

[steven36]

Cisco Talos, the cyber-security division of US IT conglomerate Cisco, said today that hackers are abusing misconfigured Cisco switches to gain a point of entry into organizations across the world.

 

 

The Cisco Talos team says that some of these intrusion attempts are related to a Department of Homeland Security (DHS) alert sent out in mid-March.

In the US-CERT advisory, DHS warned that "Russian government cyber actors" have targeted and infiltrated organizations active in the US energy grid and other critical infrastructure networks.

Cisco Talos believes that some of the attacks against Cisco switches have been carried out by the same group described in the US-CERT advisory, tracked by various cyber-security firms under codenames such as Dragonfly, Crouching Yeti, and Energetic Bear.

Attacks linked to Cisco SMI protocol

These attacks, carried by Dragonfly but also other groups, have targeted the Cisco Smart Install (SMI) Client, a legacy utility designed to allow no-touch installation of Cisco switches, now
superseded by the Cisco Network Plug and Play solution.

The problem is that switches were owners did not configure or disable the Smart Install protocol, SMI the client remains waiting in the background for "installation/configuration" commands. This allows hackers to abuse this forgotten protocol to:

—  Modify TFTP server setting to exfiltrate configuration files via the TFTP protocol
—  Modify the switch general configuration file
—  Replace the IOS operating system image
—  Set up local accounts to let attackers log in and execute any IOS commands

Over 168,000 SMI-enabled Cisco devices connected online

Cisco detected abuse of the SMI protocol in February 2017, when it first alerted customers, an alert followed by another from the Cisco Talos team in February this year.

Scans for SMI-enabled devices (port 4786) have started in February 2017, intensified in October, and doubled after the last Cisco Talos warning in February, this year.

 

Cisco says it identified over 168,000 SMI-enabled Cisco switches left exposed on the Internet. The Talos team published today instructions that network admins can follow to disable SMI on affected devices, but also an open-source tool for scanning local networks or Internet IP ranges for other SMI-enabled devices.

 

Cisco says the "misconfiguration" issue has nothing to do with a recent remote code execution flaw found in the same protocol by Embedi researchers. Nonetheless, if admins choose to leave SMI enabled on their devices, they should update the switches' OS to a version that includes a fix for that flaw as well.

 

Source