Cisco Protocol Abused by Nation State Hackers

Cisco Protocol Abused by Nation State Hackers

Russian government hackers flagged in March for targeting US critical infrastructure (CNI) are abusing a Cisco protocol known to have been vulnerable for over a year, the vendor has revealed.

The “protocol misuse” issue in Cisco’s Smart Install Client was first detailed in February 2017, when Cisco warned that it had detected parties scanning for unsecured versions of the legacy utility, which allows for speedy installation of switches.

Despite releasing tools to help firms find devices using the protocol, and attempts to abuse it, it revealed last week that 168,000 systems are still potentially exposed.

“The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands,” explained Cisco Talos outreach engineer, Nick Biasini.

“Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately. Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability. Recent information has increased the urgency of this issue.”

Cisco said some of the attackers looking to abuse the protocol were nation-state Kremlin hackers linked to attacks on the US energy sector in March.

However, according to Kaspersky Lab, the campaign “is mostly targeting the Russian-speaking segment of the internet,” with attackers leaving a message that reads: “Do not mess with our elections” on affected machines, with an image of a US flag.

Talos claimed to have seen a sharp increase in scanning for Cisco Smart Install Clients on or around around November 9, 2017.

The same attacks have also been reported as targeting machines in Iran and China.

As if that weren’t enough, Cisco was also forced to patch a publicly disclosed critical vulnerability in the same protocol, revealed at the end of March. It urged organizations to address both issues at the same time.

Source: Information Security Magazine