Hackers, some of them backed by a nation-state, have attacked Cisco switches in multiple countries, the tech giant’s cyberthreat intelligence division has revealed.
Some of the attacks “are believed to be associated with nation-state actors, such as those described” in a recent Department of Homeland Security report that said Russian government hackers were targeting multiple U.S. industries, Cisco said.
The campaign disclosed by Cisco exploits a protocol in a tool called Cisco Smart Install Client that installs switches. The protocol can be abused to conduct a series of actions, including modifying a server setting, to let an attacker execute Cisco networking software commands. Cisco used the scanning tool Shodan to identify more than 168,000 systems that could be vulnerable to this attack.
A March 15 DHS report blamed Russian government hackers for a multi-stage hacking campaign against the nuclear, critical manufacturing, and other U.S. sectors. The U.S. effort to call out alleged Russian malicious activity in cyberspace continued Friday with a fresh round of sanctions against Russian oligarchs and companies.
Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group, said that while the weakness in Cisco switch protocols was “not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.” In a blog post, he described switch commands that customers can run to detect and mitigate the vulnerability.
“It can be easy to ‘set and forget’ [perimeter] devices, as they are typically highly stable and rarely changed,” Biasini continued. “Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets.”
Tony Cole, CTO of cybersecurity firm Attivo Networks, told CyberScoop that the attacks on Cisco switches showed that organizations are still slow to detect advanced hackers that have breached their networks. “Today’s preventative-focused security infrastructure is and will continue to be somewhat inept at stopping attacks,” Cole said.
Top White House cybersecurity adviser Rob Joyce urged Cisco customers to fix the vulnerability, tweeting, “Beware! There is growing malicious activity targeting the Cisco Smart Install Clients tool.”