Cisco Protocol Abused by Nation State Hackers
(Apr 9, 2018)
A “protocol misuse” flaw in Cisco’s “Smart Install Client” has been observed being abused by threat actors and Advanced Persistent Threat (APT) groups who are primarily targeting “the Russian-speaking segment of the internet.” Cisco addressed this issue in February 2017. The protocol misuse can be taken advantage of by threat actors because after installation of Smart Install, the feature remains enabled without security protocols. This can allow actors to modify Trivial File Transfer Protocol (TFTP) server settings, steal configuration files via TFTP, replace an IOS image, set up new accounts, and allows for executions of IOS commands.
Recommendation: Your company should have policies in place to address security updates when they become available. As this story portrays, threat actors often use old vulnerabilities because they can be well-documented and thus easier to exploit. Cisco’s Security Advisory discussing this issue can be viewed here “https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi”.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.