Chinese hackers targeting Cisco “features” (not bugs): NSA

Chinese threat actors are targeting Cisco “features” to help breach organisations, including telecommunications companies, warned the NSA.

The US’s National Security Agency highlighted the risk in a joint advisory [pdf] that followed a series of attacks by a group dubbed “Salt Typhoon.”

The attacks, said the Senate Intelligence Committee chairman, Mark Warner, were “the worst in our nation’s history… my hair’s on fire.”

Network hygiene, please…

The advisory has a firm focus on network security and urges organisations to “ensure all networking configurations are stored, tracked, and regularly audited for compliance with security policies and best practices…”

“Organizations in the communications sector should be aware”, the group of six Five Eyes agencies added on December 3, “that the authoring agencies have observed Cisco-specific features often being targeted by, and associated with, these PRC cyber threat actors’ activity…”

Advice for network engineers from the NSA

Use an out-of-band management network that is physically separate from the operational data flow network. Ensure that management of network infrastructure devices can only come from the out-of-band management network. In addition, confirm that the out-of-band management network does not allow lateral management connections between devices to prevent lateral movement in the case that one device becomes compromised.

Ensure device management is physically isolated from the customer and production networks. When properly implemented, out-of-band management can mitigate many threat actor tactics, techniques, and procedures (TTPs).

Implement a strict, default-deny ACL strategy to control inbound and egressing traffic. Ensure all denied traffic is logged. For maximum depth, implement on separate devices from those implementing other security controls.

Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs. Separation via virtual local area networks (VLANs) and, if possible, private VLANs (PVLAN) will provide additional granular logical separation. This should be done as part of a broader defense-in-depth approach that protects and isolates different device groups.

Place externally facing services, such as Domain Name System (DNS), web servers, and mail servers, in a DMZ to provide segmentation from the internal LAN and backend resources.

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN.

Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks. Use dedicated administrative workstations (DAWs) connected to dedicated management zones.

It called on defenders, as a result, to “Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP)” and also “Similarly, disable any unauthenticated management protocols or functions, such as Cisco Smart Install…”

Among other guidelines on Cisco kit it urged users to:

Disable Cisco’s Smart Install service using no vstack.
If not required, disable the guestshell access using guestshell disable for those versions which support the guestshell service.
Disable all non-encrypted web management capabilities. If web management is required, configure servers in compliance with vendor recommended security settings and software images.
Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines by configuring all VTY stanzas with transport input ssh and transport output none.

Cisco Smart Install is a legacy feature that provides zero-touch deployment for things like access layer switches. Exposing it in a network environment lets an attacker essentially extract the startup configuration from the Cisco devices and obtain passwords and other configurations.