CISA warns of ongoing hacking of Cisco devices with weak password setup

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert of ongoing exploitation of the legacy Cisco Smart Install (SMI) feature by malicious cyber actors. These adversaries are leveraging this outdated feature, alongside other protocols and software on network devices, to acquire system configuration files, which can lead to deeper network compromises.

CISA has observed that weak password types on Cisco network devices are still being used, which increases the risk of password-cracking attacks.

The term "password types" refers to the specific algorithms employed to secure a Cisco device’s password within its system configuration file. When threat actors gain access to these devices, weak password protections allow them to easily obtain system configuration files, further facilitating unauthorized access and potential compromise of the entire network.

The Shadowserver Foundation, a non-profit cybersecurity organization, reported over 6,000 IP addresses with this feature still exposed online, underscoring the urgency of addressing this vulnerability.

To mitigate these risks, CISA strongly recommends that organizations take the following actions:

• Disable the legacy Cisco Smart Install feature to prevent its exploitation.
• Adopt Type 8 password protection for all Cisco devices. This method uses a more secure hashing algorithm, which is recommended by the National Institute of Standards and Technology (NIST), to protect passwords within configuration files.
• Follow best practices for securing administrator accounts and passwords, including:
  • Storing passwords with a strong hashing algorithm.
  • Avoiding password reuse across different systems.
  • Assigning passwords that are strong and complex.
  • Refraining from using group accounts that lack accountability.