Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged the disabling of the legacy Cisco Smart Install feature due to its exploitation in recent cyberattacks. Additionally, CISA has recommended enhancing password protection measures for Cisco network devices to prevent unauthorized access.
Threat Actor: Dragonfly APT group | Dragonfly APT group
Victim: Cisco network devices | Cisco network devices
Key Point :
- CISA has observed the abuse of the Cisco Smart Install feature, prompting a recommendation to disable it to prevent data theft.
- Weak password types on Cisco devices have been exploited, leading CISA to advise the implementation of stronger password protection measures, specifically NIST-approved type 8 passwords.
- Organizations are encouraged to follow best practices for securing administrator accounts and passwords to mitigate risks of unauthorized access.
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommended disabling the legacy Cisco Smart Install (SMI) feature after seeing it abused in recent attacks.
CISA has spotted threat actors using this tactic and leveraging other protocols or software to steal sensitive data, such as system configuration files, which prompted an alert advising admins to disable the legacy SMI protocol (superseded by the Cisco Network Plug and Play solution) to block these ongoing attacks.
It also recommended reviewing the NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for further configuration guidance.
In 2018, the Cisco Talos team also warned that the Cisco SMI protocol was being abused to target Cisco switches in attacks linked to multiple hacking groups, including the Russian-backed Dragonfly APT group (also tracked as Crouching Yeti and Energetic Bear).
The attackers took advantage of switch owners’ failure to configure or disable the protocol, which left the SMI client running and waiting for “installation/configuration” commands.
Vulnerable switches allowed the threat actors to alter configuration files, replace the IOS system image, add rogue accounts, and exfiltrate information via the TFTP protocol.
In February 2017 and February 2018, Cisco warned customers that malicious actors were actively scanning for Internet-exposed SMI-enabled Cisco devices.
Threat monitoring service Shadowserver currently tracks over 6,000 IP addresses with the Cisco Smart install feature exposed online, down from over 11,000 in August 2023.
Abuse of weak password types
Admins were also advised today to implement better password protection measures after CISA found that attackers exploit weak password types to compromise Cisco network devices.
“A Cisco password type is the type of algorithm used to secure a Cisco device’s password within a system configuration file. The use of weak password types enables password cracking attacks,” the agency added today.
“Once access is gained a threat actor would be able to access system configuration files easily. Access to these configuration files and system passwords can enable malicious cyber actors to compromise victim networks. Organizations must ensure all passwords on network devices are stored using a sufficient level of protection.”
CISA recommends using NIST-approved type 8 password protection for all Cisco devices. This ensures passwords are hashed with the Password-Based Key Derivation Function version 2 (PBKDF2), the SHA-256 hashing algorithm, an 80-bit salt, and 20,000 iterations.
More information on enabling Type 8 privilege EXEC mode passwords and creating a local user account with a Type 8 password on a Cisco device is available in NSA’s Cisco Password Types: Best Practices guide.
The cybersecurity agency recommends following best practices for securing administrator accounts and passwords within configuration files.
This includes properly storing passwords using a strong hashing algorithm, avoiding password reuse across systems, using strong and complex passwords, and avoiding using group accounts that do not provide accountability.