On April 5th, Cisco’s Talos threat research blog issued an urgent advisory, warning security teams, especially those safeguarding industrial control systems, of a recent increase in scanning for systems with Cisco’s Smart Install Client – an outdated utility used to auto configure switches. As noted in the Talos blog, actors can abuse the Cisco Smart Client protocol and ultimately gain access “allowing for the execution of IOS commands.”
I won’t reprint the Cisco advisory here, but it is well worth a read. Key items from the advisory are summarized below along with our take and some notes on how Claroty Continuous Threat Detection tools can help ICs cybersecurity teams hunt for this activity.
Source: Telos Blog
- Recent Shodan search indicated that more than 168K systems were potentially exposed to the Cisco Smart Client vulnerability
- Talos has seen a sharp increase in scanning for this vulnerable client since November 2017
- Activity is believed by Cisco to be nation-state led and targets the same industrial systems that were in the recent DHS CERT warning
- The activity is beyond the U.S. and has been observed in “several” countries
Given the active targeting of systems by advanced threat actors, security teams should take immediate action to review their systems.
The Talos blog entry includes mitigation steps to disable the vulnerable feature from affected devices, and Cisco has published an open-source tool that scans for devices that use the Cisco Smart Install protocol.
Claroty customers can leverage the threat hunting and baseline capabilities of Continuous Threat Detection (CTD) to detect whether their systems have been actively targeted. If a threat actor targets CTD-monitored switches, the system will produce a baseline deviation alert that can be investigated by incident response teams. Claroty will also issue an update of our Snort rule set, enabling CTD Version 2.1 customers to be alerted, by name, to this specific threat activity.
Threat Hunting Instructions:
Claroty customers can hunt across systems being monitored by Continuous Threat Detection and understand if their networks have been targeted.
- Access the Baselines from the navigation bar
- Note activity on port 4786
- Make sure that all communication is originating from legitimate network traffic else, make sure to investigate the source
Any Claroty customers who need support with this activity are encouraged to contact our support team at: