Cisco Systems has identified more than 168,000 systems that are potentially exposed via its Cisco Smart Install Client, which the U.S. government said is being targeted by Russian state-sponsored hackers.
In an alert issued April 16, the U.S. Computer Emergency Readiness Team said Russian hackers are attacking networking devices, network management protocols and the Cisco Smart Install Client that belong to governments, infrastructure providers and businesses.
“Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices,” said the April 16 alert, which was based on results of analytic efforts between the Department of Homeland Security, the FBI and the United Kingdom’s National Cyber Security Centre.
“Since 2015, the US government received information from multiple sources—including private- and public-sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide,” Monday’s technical alert stated. “The US government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.”
The alert went on to warn that many network devices are poorly secured against remote intrusions. Old products that use protocols lacking encryption, run firmware that’s no longer eligible to receive security patches, or are insufficiently hardened to withstand attacks allow hackers to remotely commandeer devices with no need to exploit zero-day vulnerabilities or even install malware. In contrast to servers and desktop computers inside targeted organizations, the network devices often receive little ongoing maintenance, making them relatively easy to hack.
In recent weeks, Cisco has published several documents related to the Smart Install feature: one Talos blog about potential misuse of the feature if left enabled, and two Cisco Security Advisories that were included in the March 2018 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Given the heightened awareness, we want to minimize any potential confusion about exploitation attempts and clarify the verification of the feature on customer devices. As such, Cisco has attempted to consolidate all information related to the mitigation of potential Smart Install misuse or exploit of related vulnerabilities into this single document, which also notes how to properly secure devices that may be exposed and remediate the disclosed vulnerabilities.
Below is a link to Cisco’s Tool page on their website. It contains details, identification and mitigation steps for your Cisco network devices.
As always, if you need help, please contact us. We are happy to help. firstname.lastname@example.org