CISA

​On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommended disabling the legacy Cisco Smart Install (SMI) feature after seeing it abused in recent attacks.

CISA has spotted threat actors using this tactic and leveraging other protocols or software to steal sensitive data, such as system configuration files, which prompted an alert advising admins to disable the legacy SMI protocol (superseded by the Cisco Network Plug and Play solution) to block these ongoing attacks.

It also recommended reviewing the NSA's Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for further configuration guidance.

In 2018, the Cisco Talos team also warned that the Cisco SMI protocol was being abused to target Cisco switches in attacks linked to multiple hacking groups, including the Russian-backed Dragonfly APT group (also tracked as Crouching Yeti and Energetic Bear).

The attackers took advantage of switch owners' failure to configure or disable the protocol, which left the SMI client running and waiting for "installation/configuration" commands.

Vulnerable switches allowed the threat actors to alter configuration files, replace the IOS system image, add rogue accounts, and exfiltrate information via the TFTP protocol.

In February 2017 and February 2018, Cisco warned customers that malicious actors were actively scanning for Internet-exposed SMI-enabled Cisco devices.

Threat monitoring service Shadowserver currently tracks over 6,000 IP addresses with the Cisco Smart install feature exposed online, down from over 11,000 in August 2023.

Cisco Smart Install online exposure
Cisco Smart Install online exposure (Shadowserver)

Abuse of weak password types

Admins were also advised today to implement better password protection measures after CISA found that attackers exploit weak password types to compromise Cisco network devices.

"A Cisco password type is the type of algorithm used to secure a Cisco device's password within a system configuration file. The use of weak password types enables password cracking attacks," the agency added today.

"Once access is gained a threat actor would be able to access system configuration files easily. Access to these configuration files and system passwords can enable malicious cyber actors to compromise victim networks. Organizations must ensure all passwords on network devices are stored using a sufficient level of protection."

CISA recommends using NIST-approved type 8 password protection for all Cisco devices. This ensures passwords are hashed with the Password-Based Key Derivation Function version 2 (PBKDF2), the SHA-256 hashing algorithm, an 80-bit salt, and 20,000 iterations.

More information on enabling Type 8 privilege EXEC mode passwords and creating a local user account with a Type 8 password on a Cisco device is available in NSA's Cisco Password Types: Best Practices guide.

The cybersecurity agency recommends following best practices for securing administrator accounts and passwords within configuration files.

This includes properly storing passwords using a strong hashing algorithm, avoiding password reuse across systems, using strong and complex passwords, and avoiding using group accounts that do not provide accountability.

Related Articles:

CISA urges tech manufacturers to stop using default passwords

CISA warns of more Palo Alto Networks bugs exploited in attacks

New Cisco ASA and FTD features block VPN brute-force password attacks

CISA urges software devs to weed out XSS vulnerabilities

The true (and surprising) cost of forgotten passwords