Attackers obtain system configuration files by taking advantage of software or protocols that are installed on devices, such as by abusing the legacy Cisco Smart Install feature.
Additionally, CISA notes that weak password types are still being used on Cisco network devices. Password cracking attacks are made possible by the use of weak password types.
This can result in sensitive system configuration files being accessed without authorization.
Abusing Cisco Smart Install Feature
Using the Cisco Smart Install feature, adversaries are probably exfiltrating copies of configuration files from switches that are accessible over the internet.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
This protocol’s heightened operating risk may compromise the integrity of infrastructure devices.
“Malicious Smart Install protocol messages can allow an unauthenticated, remote attacker to change the startupconfig file, force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS® and IOS XE Software”, reads the NSA advisory.
An adversary is able to map the network and move laterally due to these configuration files. Moreover, an attacker may install modified IOS images and switch configurations.
An adversary can further breach the network by using a maliciously created IOS or modified configuration file.
CISA recommends that organizations disable Smart Install and refer to the NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration support.
Cisco Network Devices Use Weak Password Types
A Cisco password type is a kind of algorithm that is used in a system configuration file to protect the password of a Cisco device.
Poor password selection, router configuration files with hashed passwords delivered via unencrypted email, and reused passwords are all potential ways for network equipment to be stolen.
Selecting secure password storage algorithms can significantly increase the difficulty of exploitation. Additionally, use strong and complex passwords, avoid reusing passwords across systems and do not use group accounts that do not provide accountability.
To safeguard passwords included in configuration files, CISA advises implementing type 8 password protection on all Cisco devices.
NIST-approved type 8 password security is more secure than other password types. For additional information, CISA recommends that businesses study the NSA’s Cisco Password Types: Best Practices guide protecting administrator accounts and passwords.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download