- The FBI has warned of Russian hackers abusing CVE-2018-0171
- Configuration files from “thousands” of Cisco devices were already stolen
- The bug affects many outdated endpoints, so patch now
Russian state-sponsored threat actors are abusing a years-old Cisco vulnerability to spy on organizations in the West, the FBI is warning.
In a public service announcement posted on the IC3 website, the FBI said it saw Center 16 – a threat actor linked to the Russian Federal Security Service (FSB) – exploiting Simple Network Management Protocol (SNMP), and a vulnerability in Cisco Smart Install (SMI) instances that reached end-of-life status.
The goal, the agency says, is to “broadly target entities in the United States and globally”.
End of life
The vulnerability being exploited here is tracked as CVE-2018-0171. Discovered roughly seven years ago, this improper validation of packet data flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software allows unauthenticated, remote adversaries, to trigger a reload of an affected device, resulting in either arbitrary code execution, or a denial of service (DoS) condition.
The bug affected a wide range of Cisco Catalyst switches, including models from the Catalyst 2000, 3000, 3650, 3850, 4500, and 9000 series.
Cisco Industrial Ethernet switches, as well as some Nexus data center switches that had Smart Install enabled by default, were also affected.
Many of the older devices (Catalyst 2960, 3560, 3750, 4500E) have reached end-of-life, meaning they were never patched for this bug and remain vulnerable. Cisco advises users to replace them with newer models, such as those from the Catalyst 9000 series, which remain active product lines.
Over the past year, the FBI saw Center 16 collect configuration files for “thousands” of networking devices from US entities, mostly in the critical infrastructure sector.
“On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices,” the FBI explained.
“The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.”
Via The Register
