Story image

ACSC confirms backdoor attacks on Aussie firms through Cisco switches & routers

18 Aug 17

Hackers may be collecting configuration files from routers and switches used by a number of Australian organisations, but the threat doesn’t appear to be affecting home users yet.

The Australian Cyber Security Centre (ACSC) issued an alert this week which says that switches with Cisco Smart Install that are accessible from the internet, as well as switches or routers with Simple Network Management Protocol (SNMP) enabled and exposed to the internet are at risk of being hacked.

ACSC says that the configuration files could contain device administrator credentials and other information, which could then be used to attack the router or switch and then compromise any other devices using the network.

If attackers compromise devices, they could potentially gain access to information sent from and to those devices.

ACSC suggests that administrators who know devices can be directly managed from the internet should review logs for any suspicious activities.

In Febuary this year, security research firm Talos found evidence that attackers were scanning infrastructure with the aim of finding Cisco Smart Install clients and using them to uncover customer configurations.

“We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks,” Talos said in its blog.

Cisco added that if customers find devices that have Smart Install enabled, they should disable the software immediately through the no vstack configuration command.

Those activities could include:

  • configurations or command output obtained by external sources via TFTP
  • SNMP queries from unexpected sources
  • configuration of unexpected GRE tunnels.

While ACSC did not explicitly state which Australian organisations have been affected by the attacks, it has provided a list of tips to minimise threats to individuals and their organisations:

  • Disable SNMP Read/Write if not strictly required (consider disabling SNMP entirely if not required). If SNMP Read/Write is required, then at least one of the following two options should be put in place: EITHER ensure the SNMP service cannot be connected to untrusted sources OR upgrade to SNMPv3 and change all community strings.
  • Implement Access Control Lists (ACL) to restrict SNMP access to your network management platform AND configure anti-spoofing at the edge of your network so that spoofed packets claiming to be sent from your network management platform are dropped.
  • Disable Cisco Smart Install if not strictly required. Cisco has published advice to prevent misuse of the Smart Install feature.
The secret to scaling DevOps in the digital era
"Organisations around the world have learnt at a cost that while agile DevOps methodologies can result in improved outcomes within teams and projects, they have a propensity to fail miserably."
APAC FinTech network launches to encourage cross-border innovation
Nine associations formally launched the network by signing a Statement of Intent at the Asian Financial Forum event in Hong Kong.
New blockchain solution aims to keep our food ethical
OpenSC enables anyone to scan product QR codes which automatically takes them to information about where a specific product’s journey.
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
SUSE partners with Intel and SAP to accelerate IT transformation
SUSE announced support for Intel Optane DC persistent memory with SAP HANA.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."