Cisco Smart Install misuse
CERT NZ is aware of an active campaign targeting Cisco devices with Smart Install (SMI) enabled.
Attackers are identifying these devices by scanning for public IP addresses that have specific SMI ports open and services running. Once a device is identified, the SMI protocol is misused and an attacker is able to access and control the device.
Cisco devices that have SMI enabled and are internet-accessible. These devices can be identified in a number of ways, including checking for devices with SMI port 4786 open and running.
Exploiting this protocol requires SMI to be enabled. It is prudent to work on the basis that all Cisco devices with SMI port 4786 open are affected until they are investigated.
What to do
All affected devices need to be investigated and unnecessary services and protocols should be disabled or controlled through Access Control Lists (ACL) to prevent the device from being compromised.
Cisco devices that have SMI enabled should be investigated and the recommendations from Cisco should be followed as soon as possible. This includes either disabling SMI or adding ACL on port 4786 if SMI is required.
Review logs to identify any suspicious activity, such as commands from internet-based hosts or connections to unknown IPs.
Contact the National Cyber Security Centre (NCSC) if you think you are impacted on 04 498 7654 or firstname.lastname@example.org.
If you require more information or further support, contact NCSC on 04 498 7654 or email@example.com.