Attackers are exploiting a 'protocol misuse' issue in Cisco's Smart Install Client to gain entry to critical infrastructure providers, according to researchers at Cisco's Talos Intelligence group.
The researchers say the attackers are linked to nation-state hackers and point to US CERT's recent alert detailing suspected Russian government attacks on US agencies and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Symantec refers to that hacking group as Dragonfly.
Researchers at security firm Embedi found that millions of Cisco network devices have been left vulnerable by an open TCP 4786 port.
Cisco has also seen a huge uptick in traffic to the TCP 4786 port which began around November 2017 and then spiked in April 2018.
However, the main thrust of the new alert concerns an advisory Cisco issued in February 2017 after discovering a surge in internet scans for Smart Install instances that had been set up without proper security controls.
Attackers could send Smart Install protocol messages to Smart Install clients to allow them to change the startup-config file, trigger a reload, and then load a new image of Cisco's IOS networking software on to the device.
The attacker could then provide command-line instructions on switches running IOS and IOS XE. Cisco at the time said it was not a vulnerability because the Smart Install protocol intentionally doesn't require authentication.
"The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands," Talos researcher Nick Biasini wrote on Thursday.
"Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately. Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability. Recent information has increased the urgency of this issue."
Talos researchers using Shodan discovered 168,000 systems are potentially exposed due to improperly secured Smart Install clients.
Biasini also urged Cisco customers to apply last week's Smart Install security update. However, it has not seen this attack vector being exploited.
"While we have only observed attacks leveraging the protocol misuse issue, recently another vulnerability in the Cisco Smart Install Client was disclosed and patched.
"This vulnerability has been discussed publicly, and proof-of-concept code has been released. While mitigating the protocol misuse issue, customers should also address this vulnerability."