{
	"id": "84edd7ed-a3b4-4bed-a881-ca9da49418c6",
	"created_at": "2026-04-06T00:22:35.461646Z",
	"updated_at": "2026-04-10T03:30:33.376376Z",
	"deleted_at": null,
	"sha1_hash": "78a6e23fb9d0380afa446e544b6ae2eddb2edca3",
	"title": "Attackers Continue to Target Legacy Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40534,
	"plain_text": "Attackers Continue to Target Legacy Devices\r\nBy Omar Santos\r\nPublished: 2020-10-20 · Archived: 2026-04-05 22:45:51 UTC\r\nAttackers will always target the \"low hanging fruit\": devices that have passed end-of-software maintenance and\r\nend-of-support. A few years ago, Cisco described the evolution of attacks against infrastructure devices. All of the\r\nattacks discussed in that article targeted devices that have reached the end-of-sale milestone for several years!\r\nToo many organizations are relying on seriously outdated network components and operating systems—thus\r\nproviding even more opportunity for adversaries to infiltrate or attack their network. In fact, some organizations\r\ncontinue to run network infrastructure software versions that are more than 8 years old (which likely are exposed\r\nto many unpatched known vulnerabilities).\r\nAdversarial Tactics and Techniques\r\nThe malware used in the aforementioned evolved Cisco IOS attacks show increasing levels of complexity in the\r\ntype of modifications made to legacy Cisco IOS, the behavior of Command and Control (C2) communication, and\r\nthe platforms they target. The following are some of the most noticeable tactics and techniques used by\r\nadversaries in those attacks:\r\nAutomated exfiltration via traffic duplication by using modified SPAN ports.\r\nWeaken encryption: Diffie-Hellman keyspace was reduced by attackers.\r\nLegacy Cisco IOS Software was modified to disable crypto hardware acceleration.\r\nThe ROMMON on the targeted Cisco device was modified to ensure persistence of the command and\r\ncontrol channel.\r\nAttackers leveraged modified ROMMON code in order to inject binary code into the in-memory Cisco IOS\r\nimage to support data exfiltration.\r\nThe usage of adversary-controlled TFTP servers in order to load malicious software to the targeted\r\ninfrastructure device.\r\nAttackers used the Simple Network Management Protocol (SNMP) with stolen credentials to retrieve the\r\ncompromised device configuration.\r\nAttackers exfiltrated device-specific data via ICMP packets.\r\nCrafted ICMP packets were also used to trigger unwanted device behavior that helped the attacker to\r\nfurther manipulate the compromised device.\r\nSome of the modified software images included keylogging mechanisms designed to capture the network\r\nadministrator keystrokes.\r\nThe Cisco PSIRT has also seen multiple attacks against legacy protocols, such as Smart Install. According to\r\nShodan, there are thousands of devices that are still running Smart Install. Cisco Smart Install is a legacy feature\r\nthat provides zero-touch deployment for new switches, typically access layer switches. Customers who are\r\nhttps://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\r\nPage 1 of 2\n\nseeking more than zero-touch deployment should consider deploying the Cisco Network Plug and Play solution\r\ninstead.\r\nThe main weakness of the Smart Install protocol is the lack of authorization or authentication mechanisms in\r\nbetween the client and the director. This can allow a client to process crafted Smart Install protocol messages as if\r\nthese messages were from the Smart Install director. The following are some of the techniques used by attackers\r\nleveraging Smart Install enabled devices:\r\nAttackers changed the TFTP server address on integrated branch clients (IBC).\r\nAttackers copied arbitrary files from the affected device to an attacker-controlled TFTP server\r\nThe target device's startup configuration (startup-config) file was replaced with a file that the attacker\r\nprepared. Attackers then forced a reload of the IBC after a defined time interval; subsequently, booting\r\nwith the new startup-config.\r\nIn some cases, adversaries loaded attacker-supplied firmware onto the compromised device.\r\nAttackers were able to execute high-privileged CLI commands on the affected device (including do-exec\r\nCLI commands).\r\nA Call to Action\r\nUpgrading infrastructure devices is a big undertaking and in some cases requires network downtime. However, the\r\ncosts of ignoring the problem of aging infrastructure and running legacy protocols can run much higher. Modern\r\nnetwork infrastructure devices now come with numerous security features and capabilities that mitigate all the\r\naforementioned attacks. The Cisco Secure Development Lifecycle (SDL) applies industry-leading practices and\r\ntechnology to build trustworthy solutions that have fewer field-discovered product security incidents. Because\r\nnetwork infrastructure devices play a fundamental role in the growth and trajectory of a business, forward-looking\r\nleaders and engineers must have a resilience strategy that includes investing in updating IT infrastructure. \r\nSource: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\r\nhttps://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
	],
	"report_names": [
		"4169954"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434955,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78a6e23fb9d0380afa446e544b6ae2eddb2edca3.pdf",
		"text": "https://archive.orkl.eu/78a6e23fb9d0380afa446e544b6ae2eddb2edca3.txt",
		"img": "https://archive.orkl.eu/78a6e23fb9d0380afa446e544b6ae2eddb2edca3.jpg"
	}
}