The Australian Cyber Security Centre (ACSC) has warned businesses to lock down their networking gear after a number of organisations were targeted by attackers seeking to access the configuration files of Internet-facing routers in the hope of obtaining device admin credentials.
The centre said today that organisations with Cisco network switches that have the company’s Smart Install feature accessible from the Internet, and routers and switches that have SNMP accessible from external networks are vulnerable.
Last week the UK’s National Cyber Security Centre issued an advisory stating that it was “aware of a number of router compromises in telecommunications companies and Internet Service Providers, where a hostile actor has extracted configuration files from internet facing network devices.”
“The configuration files can contain administrative credentials which may then be used to compromise all traffic passing through the router, and allow the actor to target other devices on the network. They have also gained interactive engineer access to some routers,” the NCSC said.
The UK cyber security watchdog said that in some cases, an attacker has Generic Routing Encapsulation (GRE) tunnels to extract traffic traversing the router.
The ACSC said that network admins should review device logs for activity including configurations or command output obtained by external sources via TFTP, SNMP queries from unexpected sources, or configuration of unexpected GRE tunnels.
SNMP Read/Write should be disabled if not required, the organisation said. If it is required, businesses should either ensure SNMP cannot be connected to untrusted sources or upgrade to SNMPv3 and change all community strings.
The ACSC also advised organisations to use access control lists to restrict SNMP access to their network management platform and implement anti-spoofing measures at the edge of their networks. Businesses should consider disabling Smart Install, it added.