Attackers are exploiting a “protocol misuse” issue in Cisco’s Smart Install Client to gain entry to critical infrastructure providers, according to researchers. They believe the attackers are linked to nation-state hackers and point to US CERT’s recent alert detailing suspected Russian Government attacks on US agencies and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Symantec refers to that hacking group as Dragonfly.
Commentary from the following security expert:
Martin Jartelius, CSO at Outpost24, who said:
It is extremely hard to defend against a motivated attacker with large sets of resources, the only way is defence in depth and a good base hygiene. When your enemy is a nation state, you are fighting from a very poor position. In history, a well defended small force could hold of a capable enemy for a very long time – the same still holds true, but the requirement is defence in depth, use your money and resources smartly – and audit as much as possible by automation. Maintain an asset inventory, know what you have on it, and audit it using a vulnerability management program.
In terms of mitigation, when you setup devices, remove any services you are not using. Not a single of these breaches would have been possible if even basic hardening had been applied to the devices, or a vulnerability management program had been in place to detect exposed services. In this case, simply turning of this service will mitigate THIS risk, but without a process to do this for any unused or unnecessary service, soon there is a next mitigation, and a next, and a next. You can only win this battle by preventive measures.
Additionally, if an organisation invests in technology to defend themselves – ensure to configure it properly. Security deteriorates over time, maintaining it is a process. If you find yourself running mitigations frequently, you are running reactive security. There is no way to win this battle by a purely reactive security program.