Australian businesses targeted in Cisco switch and router attacks: ACSC

Attackers are leveraging misconfigurations in networks' Cisco Smart Install and SNMP protocols. Businesses are urged to review their device logs for any unusual activity.
Written by Stilgherrian , Contributor

Australian organisations have been hit by attackers targeting their Cisco routers and switches and extracting their configuration files, warns the Australian Cyber Security Centre (ACSC).

"Switches with Cisco Smart Install accessible from the internet, and routers or switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to this activity," they wrote.

"Extracted configuration files may contain sensitive information, such as device administrative credentials, and could be used to compromise the router/switch and enable targeting of other devices on the network. Access to the device may facilitate malicious cyber adversaries gaining access to the information that flows through the device."

Cisco has been aware of attackers "potentially abusing the Smart Install (SMI) feature in Cisco IOS and IOS XE Software" since February, they wrote in a blog post at the time, and of attackers actively scanning for networks vulnerable to misuse.

But Cisco downplayed the problem, referring to SMI as a "legacy feature".

"The feature has been designed for use within the local customer network and should not be exposed to untrusted networks," the company wrote.

Cisco also downplayed the problem in their security advisory of February 14.

"Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design," they wrote.

The company recommends using newer technology to set up new switches, such as the Cisco Network Plug and Play feature.

The ACSC's advisory recommends that if devices can be directly managed from the internet, administrators should review the device logs and report any evidence of unusual activity.

The ACSC recommends taking steps to minimise risk:

  • Disable SNMP Read/Write if not strictly required, and consider disabling SNMP entirely if it isn't needed. If SNMP Read/Write is required, then either make sure the SNMP service cannot be connected to from untrusted sources; or upgrade to SNMPv3 and change all community strings; or both.
  • Implement Access Control Lists (ACL) to restrict SNMP access to your network management platform, and configure anti-spoofing at the edge of your network so that spoofed packets claiming to be sent from your network management platform are dropped.
  • Disable Cisco Smart Install if isn't strictly required.

The ACSC points to Cisco's advice on securely configuring SMI, which was updated in conjunction with their February blog post.

The ACSC also recommends that all organisations follow the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. They consider the Essential Eight strategies from that list to be the "minimum cyber security baseline" for all businesses.

The more general guidance from the UK's National Cyber Security Centre (NCSC) is also recommended.

Editorial standards