Hackers Stealing Data Using Cisco Smart Install
The US Cybersecurity and Infrastructure Security Agency (CISA) reports that hackers are exploiting the obsolete Cisco Smart Install feature with the aim of accessing sensitive data.
CISA has detected hackers using this tactic, leveraging readily available protocols and software, to steal sensitive data, including system configuration files. This is urgent enough to have prompted the agency to issue an alert advising network admins to disable the legacy SMI protocol to block these attacks.
CISA said it has seen cyber criminals "acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature."
It also reports that it continues to see weak password types being used on Cisco network devices, thereby exposing them to password-cracking attacks. Hackers who are able to gain access to the device in this manner would be able to easily access system configuration files, enabling more serious problems for their victim networks.
"Organisations must ensure all passwords on network devices are stored using a sufficient level of protection," CISA said, adding it recommends Type 8 password protection for all Cisco devices to protect passwords within configuration files." Type 8 passwords are hashed with the Password- Based Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt, and 20,000 iterations, which makes it more secure in comparison to the previous password types.
CISA is also urging enterprises to consult the National Security Agency's (NSA) Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance. Additional best practices include the use of a strong hashing algorithm to store passwords, avoiding password reuse, assigning strong and complex passwords, and refraining from using group accounts that do not provide accountability.
The development comes as Cisco warned of the public availability of a proof-of-concept (PoC) code for CVE-2024-20419 (CVSS score: 10.0), a critical flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users.
Cisco has previously warned that the Cisco SMI protocol was being abused to target Cisco switches in attacks linked to multiple hacking groups, including the Russian-backed APT group known as Dragonfly.
CISA | US Dept of Defense | Cisco | Hacker News | Bleeping Computer | Techconnex |
Image: Ideogram
You Might Also Read:
Chinese Hackers Exploit Cisco Vulnerability To Deliver Malware:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible