Hackers may be collecting configuration files from routers and switches used by a number of Australian organisations, but the threat doesn’t appear to be affecting home users yet.
The Australian Cyber Security Centre (ACSC) issued an alert this week which says that switches with Cisco Smart Install that are accessible from the internet, as well as switches or routers with Simple Network Management Protocol (SNMP) enabled and exposed to the internet are at risk of being hacked.
ACSC says that the configuration files could contain device administrator credentials and other information, which could then be used to attack the router or switch and then compromise any other devices using the network.
If attackers compromise devices, they could potentially gain access to information sent from and to those devices.
ACSC suggests that administrators who know devices can be directly managed from the internet should review logs for any suspicious activities.
In Febuary this year, security research firm Talos found evidence that attackers were scanning infrastructure with the aim of finding Cisco Smart Install clients and using them to uncover customer configurations.
“We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks,” Talos said in its blog.
Cisco added that if customers find devices that have Smart Install enabled, they should disable the software immediately through the no vstack configuration command.
Those activities could include:
While ACSC did not explicitly state which Australian organisations have been affected by the attacks, it has provided a list of tips to minimise threats to individuals and their organisations: