Currently, a powerful botnet attack. All Internet addresses are scanned for the presence of fresh vulnerabilities in the software of the Cisco IOS that allows you to remotely execute commands on Cisco devices. The bot walks to the device and remove the configuration, recording is her own files.
A Vulnerability has received the identifier CVE-2018-0171 and scored 9.8 points on a scale of CVSS. If you have just turned off the Internet or off in the near future, then with high probability, this is due to the above vulnerability. The Network performance issues are observed now. Including the team Hi-News.ru.
Cisco has published a report according to which hundreds of thousands of devices on the Network vulnerable with Smart Install. The company has warned critical infrastructure about the risks of using vulnerable devices.
Smart Install allows you to automate the process of initial configuration and download the current operating system image for a new network switch.
About the problem of burst scans in an attempt to detect vulnerable devices that are activated Smart Install, Cisco reported in February last year. At that time it was said that hacker groups can use Smart Install to receive copies of the configurations of affected devices customers. In addition, it was reported that the attackers used the tool open source for scanning in search of vulnerable systems. This tool is called Smart Install Exploitation Tool (SIET).
Now Cisco issued a new statement:
"Cisco is aware of a significant increase in the number of attempts to scan for vulnerable devices with an activated Smart Install. As a result of successful attack an attacker can modify the configuration file, force restart your device to upload new image IOS, to run CLI commands with the highest rights".
According to experts, some of these attacks were carried out by a group known as Dragonfly, Crouching Yeti and Energetic Bear. In this regard, administrators are advised to install the update or disable in device settings SMI technology designed to automate the initial configuration and download the firmware for the new switches.
The Problem is that many owners do not adjust or turn off the SMI Protocol and the client continues to wait for commands "ustanovlennuyu" in the background. Using the vulnerability, an attacker can modify the settings of the TFTP server and retrieve the configuration files via TFTP, change the General configuration file of the switch, replace the OS image IOS, to create a local account and to provide an opportunity for the attacker to log into the device and execute any command.
To exploit the vulnerability the attacker needs to contact TCP port 4786 is open by default. It is reported that the problem can be used as a DoS attack, leading the vulnerable devices into an endless loop of reboots.
According to the Cisco Talos, currently available 168 thousand switches that support SMI. However, according to analytical group Embedi in total, the Internet discovered more than 8.5 million units with an open port 4786, and the patch that fixes the critical vulnerability is not established approximately 250 000 of them.
Analysts Embedi conducted penetration testing on devices Catalyst 4500 Supervisor Engine and switch series Cisco Catalyst 3850 and Cisco Catalyst 2960, but probably we are talking about the vulnerability of all devices running on Smart Install, namely:the
Cisco has published the Protocol is disabled on the affected devices, and also released a tool for scanning local networks or the Internet to search for vulnerable devices.
As reported by numerous sources with reference to the press service of Roskomnadzor, the Agency appealed to the court to block the messaging service Telegram.
a Platform for the exchange of messages, Telegram, created by Pavel Durov and his team, had just completed the second round of the ICO record, and the results did not like the government of Iran.
the Developers of the cloud platform Azure from Microsoft reported that they began work on the integration of the service with bloccano Ethereum.