On Thursday, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) really helpful disabling the legacy Cisco Sensible Set up (SMI) function after seeing it abused in latest assaults.
CISA has noticed risk actors utilizing this tactic and leveraging different protocols or software program to steal delicate knowledge, corresponding to system configuration recordsdata, which prompted an alert advising admins to disable the legacy SMI protocol (outmoded by the Cisco Community Plug and Play answer) to dam these ongoing assaults.
It additionally really helpful reviewing the NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for additional configuration steerage.
In 2018, the Cisco Talos crew additionally warned that the Cisco SMI protocol was being abused to focus on Cisco switches in assaults linked to a number of hacking teams, together with the Russian-backed Dragonfly APT group (additionally tracked as Crouching Yeti and Energetic Bear).
The attackers took benefit of change homeowners’ failure to configure or disable the protocol, which left the SMI shopper working and ready for “set up/configuration” instructions.
Weak switches allowed the risk actors to change configuration recordsdata, substitute the IOS system picture, add rogue accounts, and exfiltrate info through the TFTP protocol.
In February 2017 and February 2018, Cisco warned prospects that malicious actors have been actively scanning for Web-exposed SMI-enabled Cisco gadgets.
Abuse of weak password sorts
Admins have been additionally suggested as we speak to implement higher password safety measures after CISA discovered that attackers exploit weak password sorts to compromise Cisco community gadgets.
“A Cisco password sort is the kind of algorithm used to safe a Cisco system’s password inside a system configuration file. The usage of weak password sorts allows password cracking assaults,” the agency added today.
“As soon as entry is gained a risk actor would have the ability to entry system configuration recordsdata simply. Entry to those configuration recordsdata and system passwords can allow malicious cyber actors to compromise sufferer networks. Organizations should guarantee all passwords on community gadgets are saved utilizing a adequate degree of safety.”
CISA recommends utilizing NIST-approved sort 8 password safety for all Cisco gadgets. This ensures passwords are hashed with the Password-Primarily based Key Derivation Operate model 2 (PBKDF2), the SHA-256 hashing algorithm, an 80-bit salt, and 20,000 iterations.
Extra info on enabling Sort 8 privilege EXEC mode passwords and creating an area person account with a Sort 8 password on a Cisco system is offered in NSA’s Cisco Password Types: Best Practices guide.
The cybersecurity company recommends following finest practices for securing administrator accounts and passwords inside configuration recordsdata.
This consists of correctly storing passwords utilizing a robust hashing algorithm, avoiding password reuse throughout techniques, utilizing sturdy and complicated passwords, and avoiding utilizing group accounts that don’t present accountability.