The message “Don’t mess with our elections” followed by a U.S. flag appeared on Iranian and Russian screens after a hacker group exploited Cisco Smart Install Client on vulnerable machines. The hackers claim to have targeted only the computer infrastructure in Iran and Russia during the attack on Friday night.
Reuters reported that Iran’s Communication and Information Technology Ministry said, “The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country.”
Researchers from Cisco’s Talos reportedly used Shodan to find over 168,000 systems potentially exposed via the Cisco Smart Install Client. The researchers don’t call it a vulnerability, but a “protocol misuse issue.” That is what it was called back in an “informational” Cisco Security Advisory issued in 2017. Cisco’s Security Advisory issued on Friday, however, lists it as a critical vulnerability.
Dangers of the Cisco Smart Install Client flaw
The flaw in Cisco Smart Install Client allows attackers to run arbitrary code on vulnerable switches. Kaspersky Lab said the attack hit data centers and internet providers across the globe; the attackers would “rewrite the Cisco IOS image on the switches and change the configuration file, leaving a message that reads ‘Do not mess with our elections’ there. The switch then becomes unavailable.”Kaspersky Lab added that the attack was “mostly targeting the Russian-speaking segment of the Internet, yet other segments are clearly more or less affected as well.”
According to screenshots, a hacker group going by “JHT” claimed responsibility for the American flag and message left on Iranian and Russian screens.
As for the why, a spokesperson for the group told Motherboard, “We were tired of attacks from government-backed hackers on the United States and other countries.”
In a blog post from Thursday, Talos researchers linked to US-CERT alert issued in March about “Russian government cyber activity targeting energy and other critical infrastructure sectors.” Motherboard suggested that is what set the vigilante hackers off.
They claimed a scan showed numerous countries with vulnerable systems, but they only attacked Russia and Iran: “We simply wanted to send a message.”
Mohammad Javad Azari-Jahromi, the ICT Minister of Iran, is quoted by Reuters as saying, “Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent.” He later tweetedthat 95 percent of the attacked routers in Iran had been restored to normal service.
How to mitigate the Cisco Smart Install flaw
Kaspersky pointed out that Cisco’s Smart Install does not require authentication by design and suggested mitigations for system admins.To check if Smart Install is working, you can run the “show vstack config” command on your switch. If the switch responds positively, which means that Smart Install is enabled, it’s better to disable it with the no vstack command.
That won’t work in all cases, as the no vstack command will only persist in some Cisco operating systems releases until the switch is rebooted. Then an upgrade or downgrade of the system version may be advised.
You guys have surpassed my expectations! James is seriously amazing and is doing everything to help my Fiancé and me, in1weeks my credit score went up 700 points and I can only imagine what is to come. Thank you for the excellent customer service and doing exactly what you all have set out to do! NO GIMMICKS OR BS with you guys.They carry out any kind of hacks You can reachout to them via Hackintechnology@gmail.com +16692252253
ReplyDelete