Australian organisations have been hit by attackers targeting their Cisco routers and switches and extracting their configuration files, warns the Australian Cyber Security Centre (ACSC).
"Switches with Cisco Smart Install accessible from the internet, and routers or switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to this activity," they wrote.
"Extracted configuration files may contain sensitive information, such as device administrative credentials, and could be used to compromise the router/switch and enable targeting of other devices on the network. Access to the device may facilitate malicious cyber adversaries gaining access to the information that flows through the device."
Cisco has been aware of attackers "potentially abusing the Smart Install (SMI) feature in Cisco IOS and IOS XE Software" since February, they wrote in a blog post at the time, and of attackers actively scanning for networks vulnerable to misuse.
But Cisco downplayed the problem, referring to SMI as a "legacy feature".
"The feature has been designed for use within the local customer network and should not be exposed to untrusted networks," the company wrote.
Cisco also downplayed the problem in their security advisory of February 14.
"Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design," they wrote.
The company recommends using newer technology to set up new switches, such as the Cisco Network Plug and Play feature.
The ACSC's advisory recommends that if devices can be directly managed from the internet, administrators should review the device logs and report any evidence of unusual activity.
The ACSC recommends taking steps to minimise risk:
The ACSC points to Cisco's advice on securely configuring SMI, which was updated in conjunction with their February blog post.
The ACSC also recommends that all organisations follow the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. They consider the Essential Eight strategies from that list to be the "minimum cyber security baseline" for all businesses.
The more general guidance from the UK's National Cyber Security Centre (NCSC) is also recommended.