U.S. Government: Russian Hackers Targeting Cisco Smart Install Protocol; 168,000 Systems Potentially Exposed
Cisco Systems has identified more than 168,000 systems that are potentially exposed via its Cisco Smart Install Client, which the U.S. government said is being targeted by Russian state-sponsored hackers.
In an alert issued April 16, the U.S. Computer Emergency Readiness Team said Russian hackers are attacking networking devices, network management protocols and the Cisco Smart Install Client that belong to governments, infrastructure providers and businesses.
"Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices," said the April 16 alert, which was based on results of analytic efforts between the Department of Homeland Security, the FBI and the United Kingdom's National Cyber Security Centre.
Russian hackers are leveraging a number of legacy or weak protocols and service ports associated with network administration activities to identify vulnerable devices, extract device configurations, gain login credentials, modify device firmware and operating systems, and copy or redirect traffic through Russian-controlled infrastructure, according to the alert. The protocols being targeted include Telnet, Hypertext Transport Protocol, Simple Network Management Protocol and Cisco Smart Install.
Cisco issued its own advisory warning this month regarding its Smart Install Client solution being leveraged to compromise customer devices.
"Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol," wrote Cisco Talos, the company's threat intelligence group, in an advisory warning April 5. "We are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths."
Cisco's Smart Install Client is a legacy utility designed to allow zero-touch installation of new Cisco equipment, specifically Cisco switches. The protocol can be abused to modify the TFTP (Trivial File Transfer Protocol) server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image and set up accounts, allowing for the execution of IOS commands, according to Cisco Talos. "Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately," said Cisco.
Throughout the end of 2017 and early 2018, Cisco Talos observed attackers trying to scan clients using this vulnerability. During Cisco Talos' investigation, the company identified more than 168,000 systems that are potentially exposed via the Cisco Smart Install Client.
"The results were extremely troubling," wrote Cisco Talos in its advisory. However, the team did say it was an improvement from the reported numbers in 2016, when security firm Tenable observed 251,000 exposed Cisco Smart Install Clients.
In an interview with CRN, Nirav Sheth, vice president of architectures, solutions and engineering in Cisco's global partner organization, said the company often stays ahead of attacks with its threat intelligence engine and Cisco Talos team.
"We see more threats every day than Google sees searches every day via our threat intelligence engine," said Sheth. "However, there are times when potential vulnerabilities may be found externally, for anyone in the industry. When those are brought to our attention -- whether it's Cisco or anybody else -- we're going to act as quickly as possible to address any potential risks or vulnerabilities that are out there and deliver to our customers best-in-class security capabilities."
Robert Keblusek, CTO of Sentinel Technologies, a Downers Grove, Ill.-based Cisco partner ranked No. 117 on the 2017 CRN Solution Provider 500 list, said the global networking leader is one of the "biggest targets" for hackers in the world.
"If you're going to find a compromise and get into somebody's network and move laterally, which is ideally what an attacker would like to do, then you're going to go after the biggest market share in terms of vulnerability because you can create the biggest impact with your attack," said Keblusek. "They're capturing network traffic. So the potential to directly capture credentials and passwords is pretty high."
Sentinel has reached out to its customers following the Cisco Talos report this month, but has yet to find a vulnerable customer.
"While we've seen customers regularly running updates on endpoints and servers, we don’t see them doing that in switching. So they'll be running very old versions of code," said Keblusek. "It's a good warning to make sure that if you're running a network that's secure, you need to take into consideration your routing, your switching, your foundation infrastructure. It's not a set-it-and-forget it environment. You need to secure it."
Cisco customers can determine if a device has been impacted by running the command "show vstack config" that will enable a company to determine if the Smart Install Client is active. The easiest way to mitigate the issue is to run the command "no vstack" on the affected device, according to Cisco Talos.
Cisco is strongly encouraging all customers to review their architecture, use the tools provided by Talos to scan their network, and remove Cisco Smart Install Client from all devices where it is not used.