The Australian Cyber Security Centre (ACSC) is aware that cyber adversaries are extracting configuration files from the routers and switches of a number of Australian organisations. We have no evidence at this stage to suggest that home users are directly impacted by this threat.
Identifying vulnerable devices
Switches with Cisco Smart Install accessible from the internet, and routers or switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to this activity.
Extracted configuration files may contain sensitive information, such as device administrative credentials, and could be used to compromise the router/switch and enable targeting of other devices on the network. Access to the device may facilitate malicious cyber adversaries gaining access to the information that flows through the device.
Administrators of devices that can be directly managed from the internet should review logs for unusual activity, including:
- configurations or command output obtained by external sources via TFTP
- SNMP queries from unexpected sources
- configuration of unexpected GRE tunnels.
Preventing malicious activity
To minimise the threat to you and your organisation, ACSC recommends:
- Disable SNMP Read/Write if not strictly required (consider disabling SNMP entirely if not required). If SNMP Read/Write is required, then at least one of the following two options should be put in place: EITHER ensure the SNMP service cannot be connected to untrusted sources OR upgrade to SNMPv3 and change all community strings.
- Implement Access Control Lists (ACL) to restrict SNMP access to your network management platform AND configure anti-spoofing at the edge of your network so that spoofed packets claiming to be sent from your network management platform are dropped.
- Disable Cisco Smart Install if not strictly required. Cisco has published advice to prevent misuse of the Smart Install feature.
The ACSC also recommends the advice published by the UK National Cyber Security Centre.
Good cyber security practices
More broadly, the ACSC recommends all organisations take steps to protect themselves online – the Australian Signals Directorate's Strategies to Mitigate Cyber Security Incidents, including the Essential Eight strategies all businesses should implement as their minimum cyber security baseline.
Should any evidence of this activity be identified, organisations are urged to report the incident via the ACSC website.
All media enquiries should be directed to firstname.lastname@example.org