Massive attack on cisco
Today (Friday) in the evening received a notification about the attack on Cisco routers twice. As a result of a successful attack, the configuration is deleted.
I hope this information from the IX mailing will be useful:
As written earlier, the vulnerability received the identifier CVE-2018-0171 and 9.8 points on the CVSS scale. The problem is based on incorrect validation of packages in the SMI client (Cisco Smart Install). The problem was published on March 28, Cisco developers have already released patches for the discovered bug, after which the researchers published a proof-of-concept exploit.
It seems that on Friday evening some “funny guys” decided to use their botnet to scan the ports in search of open TCP 4786 and further attack on the detected devices.
Previously, they wrote about 8.5 million devices found with an open port and 250 thousand without patches. Tomorrow by morning we will find out what percentage of them are on the Runet.
PS: Since I do not consider myself a Cisco security specialist, any additions are welcome in the comments. I hope they also help administrators to avoid attacks.
PPS: Zadarma cloud infrastructure did not suffer, but it was at this time that we noticed problems with some telephone operators in Moscow, perhaps they were related to the attack.
I hope this information from the IX mailing will be useful:
We are forced to draw your attention to the fact that currently the botnet, which infects Cisco devices, is particularly active on the network.When the message was repeated, an hour later, they supplemented the information on the readiness to help the injured participants to quickly get the console to the routers (this means their number is not 0 and not 1).
According to the data we have as a result of this virus, the entire configuration of the network device is removed and reconfiguration is required via the remote console.
')
The exploited vulnerability CVE-2018-0171 .
Note that the virus scans networks for an open TCP 4786 port.
The MSK-IX network infrastructure is unaffected.
As security measures, it is possible to block the port using access lists or disable vstack (the 'no vstack' command)
As written earlier, the vulnerability received the identifier CVE-2018-0171 and 9.8 points on the CVSS scale. The problem is based on incorrect validation of packages in the SMI client (Cisco Smart Install). The problem was published on March 28, Cisco developers have already released patches for the discovered bug, after which the researchers published a proof-of-concept exploit.
It seems that on Friday evening some “funny guys” decided to use their botnet to scan the ports in search of open TCP 4786 and further attack on the detected devices.
Previously, they wrote about 8.5 million devices found with an open port and 250 thousand without patches. Tomorrow by morning we will find out what percentage of them are on the Runet.
PS: Since I do not consider myself a Cisco security specialist, any additions are welcome in the comments. I hope they also help administrators to avoid attacks.
PPS: Zadarma cloud infrastructure did not suffer, but it was at this time that we noticed problems with some telephone operators in Moscow, perhaps they were related to the attack.
Source: https://habr.com/ru/post/352990/
All Articles