Cyber attack on Cisco switches

A “massive attack” going on now against Cisco switches, which are used in data-centers worldwide. 

According to a Kaspersky report, Threat actors are using bots via the IoT search engine Shodan to scan the internet looking for a vulnerability in Cisco’s Smart Install Client software. Once exploited, the hackers can then run arbitrary code on vulnerable switches, rewrite the Cisco IOS image to the switch and then change the configuration file with message “don’t mess with our elections.” The switches are thus made unavailable.

Cisco’s Talos group said that 168,000 devices found via Shodan have this vulnerability in recent blog post just last week. 

However, Cisco does not even call this a vulnerability and instead refers to the issue as “Smart Install Protocol Misuse,” which does not require authentication by design, as Cisco posted in a most recent advisory

A few of the notable use cases and recommendations that Cisco also provided to mitigate the threat: 

  • Disable the Smart Install feature with the configuration command no vstack (for customers not using the Cisco Smart Install feature).
  • For those customers using Smart Install Feature Purely for Zero-Touch Deployment: disable the Smart Install feature with the configuration command no vstack after the switch has been deployed.
  • For customers that use the Smart Install feature for more than Zero-Touch Deployment: they should ensure that only the IBD has TCP connectivity to all IBCs on port 4786″ (such as using interface access control lists). 

On a related note, US-CERT issued a joint technical alert (TA) just last month warning of state sponsored hackers from Russia who are targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.