santiago silver - Fotolia

Russian hackers target opening in Cisco switch security

Russian hackers are suspected of targeting a utility flaw to bypass Cisco switch security and penetrate enterprise networks and critical U.S. infrastructure.

Cisco has warned enterprises that nation-state hackers -- some possibly from Russia -- are targeting a vulnerability in its switches that could let an attacker compromise corporate networks and critical U.S. infrastructure.

The advisory, issued late last week, reported "several incidents in multiple countries, including some specifically targeting critical infrastructure," had involved the known vulnerability in the Cisco Smart Install Client. The legacy utility lets organizations automate the process of installing switches.

Some of the attacks aimed at bypassing Cisco switch security were believed to be part of Russian government cyberactivity reported last month by an agency of the U.S. Department of Homeland Security (DHS), Cisco's Talos security group said in a blog post.

"As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths," Talos said.

The U.S. Computer Emergency Readiness Team (US-CERT) within the DHS issued an alert that said Russian attackers were targeting the energy, nuclear, water, aviation and critical manufacturing sectors.

Attackers had been successful against some small facilities in the U.S. energy sector, the US-CERT alert said. The hackers penetrated the networks through malware and spear phishing and stole information on industrial control systems. Spear phishing is a technique in which carefully crafted emails are used to trick the recipient into opening a malicious attachment.

Vulnerability fixes for Cisco switch security

Cisco has been monitoring hackers trying to exploit the Smart Install Client since 2017. On Valentine's Day last year, the company advised customers that attackers were scanning the internet for hardware using the vulnerable software.

The bug, called a stack-based buffer overflow, enables an attacker to execute arbitrary code on the Smart Install Client without authentication. As a result, an attack can get "full control" over vulnerable network equipment, security company Embedi reported. The utility automates the process of configuring a new switch and loading an image of the operating system a company is using.

The tool makes it possible for an organization to connect a switch to the network, power it on and have it ready for use without an administrator.

Talos has released an open source tool that scans switches in search of attackers trying to exploit the Smart Install Client flaw. Separately, Cisco has released a patch for another vulnerability in the utility and recommended customers install the fix to bolster Cisco switch security.

Dig Deeper on Network security