Aussie businesses targeted in spate of router attacks

Attackers are targeting Australian organisations with routers and switches exposed to the internet to steal configuration files and infiltrate their networks, the Australian Cyber Security Centre has warned.

The ACSC said it had identified a threat to switches with the Cisco smart install feature turned on, and routers or switches with simple network management protocol (SNMP) enabled and exposed to the internet.

It said attackers were extracting configuration files in order to nab admin credentials and compromise the router or switch, and potentially other devices on the network.

"Access to the device may facilitate malicious cyber adversaries gaining access to the information that flows through the device," the ACSC warned.

Cisco in February revealed attackers were targeting organisations with smart install enabled in order to abuse the protocol, obtain copies of customer configurations, and hopefully replace an IOS image and execute IOS commands.

Smart install is used by admins to give a switch a minimal configuration that is fetched from a central repository, but organisations can become vulnerable when the feature remains turned on after the device is live.

Smart install has been replaced in newer systems by Cisco's network plug and play feature.

The ACSC advised administrators to check their logs for any unusual activity like configurations or command output obtained by external sources via TFTP, SNMP queries from unexpected sources, and configuration of unexpected GRE tunnels.

It suggested organisations disable SNMP read/write unless it is absolutely needed, in which case admins should either ensure SNMP cannot be connected to untrusted sources, or upgrade the service to SNMPv3 and change all community strings.

Access control lists should also be put in place to restrict SNMP access to the network management platform, and anti-spoofing should be configured at the network edge to drop spoofed packets.

Cisco's smart install feature should also be disabled unless it is strictly required, the ACSC said.

It urged any organisations affected by these attacks to report the incident.