11 April 2018

Attack on Cisco switches

On April 6, large-scale series of attacks on Cisco IOS switches was recorded across the globe. The attacks resulted in some internet service providers, data centers and websites becoming unavailable. The majority of organizations attacked are Russian or Iranian. Some of the companies affected by the attack are part of the critical infrastructure.

The attackers took advantage of a vulnerability (CVE-2018-0171) in Cisco Smart Install Client software. Exploiting the vulnerability enables an attacker to execute arbitrary code on the device. The problem exists because many owners fail to configure or disable the SMI (Smart Install) protocol. Because of this, the client continues to wait for configuration commands in the background.

The flaw was identified by Cisco on March 28, 2018. According to research conducted by the Cisco Talos team, the vulnerability potentially affects over 168,000 devices globally. The first incidents involving the exploitation of the vulnerability were observed in February 2017.

According to Kaspersky Lab data, the attackers used a special bot that detects vulnerable devices, overwrites the Cisco IOS image and modifies the configuration file, rendering the device unavailable.

To protect your devices against similar attacks, it is recommended that you install updates provided by the vendor as soon as possible or disable the SMI technology in device settings. Additionally, access on TCP port 4786 should be restricted.

Sources: Cisco, Kaspersky Lab