On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommended disabling the legacy Cisco Smart Install (SMI) feature after seeing it abused in recent attacks.
CISA has spotted threat actors using this tactic and leveraging other protocols or software to steal sensitive data, such as system configuration files, which prompted an alert advising admins to disable the legacy SMI protocol (superseded by the Cisco Network Plug and Play solution) to block these ongoing attacks.
It also recommended reviewing the NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for further configuration guidance.
In 2018, the Cisco Talos team also warned that the Cisco SMI protocol was being abused to target Cisco switches in attacks linked to multiple hacking groups, including the Russian-backed Dragonfly APT group (also tracked as Crouching Yeti and Energetic Bear).
The attackers took advantage of switch owners’ failure to configure or disable the protocol, which left the SMI client running and waiting for “installation/configuration” commands.
Vulnerable switches allowed the threat actors to alter configuration files, replace the IOS system image, add rogue accounts, and exfiltrate information via the TFTP protocol.
In February 2017 and February 2018, Cisco warned customers that malicious actors were actively scanning for Internet-exposed SMI-enabled Cisco devices.
Abuse of weak password types
Admins were also advised today to implement better password protection measures after CISA found that attackers exploit weak password types to compromise Cisco network devices.
“A Cisco password type is the type of algorithm used to secure a Cisco device’s password within a system configuration file. The use of weak password types enables password cracking attacks,” the agency added today.
“Once access is gained a threat actor would be able to access system configuration files easily. Access to these configuration files and system passwords can enable malicious cyber actors to compromise victim networks. Organizations must ensure all passwords on network devices are stored using a sufficient level of protection.”
CISA recommends using NIST-approved type 8 password protection for all Cisco devices. This ensures passwords are hashed with the Password-Based Key Derivation Function version 2 (PBKDF2), the SHA-256 hashing algorithm, an 80-bit salt, and 20,000 iterations.
More information on enabling Type 8 privilege EXEC mode passwords and creating a local user account with a Type 8 password on a Cisco device is available in NSA’s Cisco Password Types: Best Practices guide.
The cybersecurity agency recommends following best practices for securing administrator accounts and passwords within configuration files.
This includes properly storing passwords using a strong hashing algorithm, avoiding password reuse across systems, using strong and complex passwords, and avoiding using group accounts that do not provide accountability.