Cisco's Smart Install software has become the vector for a series of infrastructure attacks and politically-motivated defacements.

Cisco's own Talos security limb reports that bad actors, some likely state-supported, have been scanning Switchzilla devices to see if they run Smart Install. The tool is insecure-by design because its purpose is to allow deployment of brand-new switches to remote sites. Those switches are therefore insecure as they await proper configuration.

Or improper configurations: Cisco has previously explained that potential attacks reached all the way up to replacing the IOS operating system image (if the attacker had the resources to create their own IOS-like image).

Because of those dangers and because many users forgot to turn Smart Install off, Cisco last year released a tool to shut it down. But Talos says about 160,000 devices still run the software and some are under attack.

Talos is seeing increasing probes for the Smart Install client

Kaspersky Lab thinks it's found evidence of those attacks. The company has reported that parties are replacing Cisco switches firmware so they boot up with the message "Do not mess with our elections” and an ASCII art United States flag. The attack also bricks the device.

I imagine if the person who bricked Cisco kit across Iran and Russia is really a lone US patriot, they’re going to get vanned soon as they just disabled easy mode onto foreign critical infrastructure networks. pic.twitter.com/EzdpCDNMIS — Kevin Beaumont (@GossiTheDog) April 9, 2018

Talos has reminded users how to see if a switch is running Smart Install:

switch#show vstack config | inc Role Role: Client (SmartInstall enabled)

Talos has also advised that you can switch off Smart Install with the no vstack command or by using an access control list to limit access to Smart Install. Or you could use Cisco's patch from 2017, which it seems a remarkable number of people did not deploy! ®