Cisco switches at data centers located in Iran and Russia became the target of hackers this Friday. Reportedly, Cisco devices were hijacked through the exploitation of their Smart Install feature. After attacking the vulnerable switches, hackers rewrote their IOS image with that of an image of the US flag and the following message was uploaded:
“Don’t mess with our elections…–JHT [email protected].”
To achieve this, hackers changed the configuration of Cisco switches and used ASCII art to upload the message. It must be noted that Cisco already released a patch for a critical flaw (CVE-2018-0171) in its Smart Install software. However, reports suggest that the attacks were successfully conducted by abusing the protocol misuse issue of the Smart Install.
Cisco warned in a recent security alert that remote hackers might send Smart Install protocol messages to Smart Install clients for modifying startup configuration file.
Hackers, who refer to themselves as JHT, stated that they wanted to warn state-sponsored hackers trying to target the US and other countries through this attack. Currently, hackers explained, they have attacked devices in Iran and Russia only while a majority of vulnerable devices located in the US and UK were patched by them. Their objective was to trigger a reload to upload an image by replacing Cisco’s IOS networking software. This allowed the attackers to issue remote commands to the switches.
A significant number of switches has been attacked, which hints at the possibility of a full-fledged hacktivist campaign that has been initiated to register protest against election-related hacking. As of now, it isn’t clear whether the attack is conducted by exploiting a newly identified flaw or a result of abuse method known for over a year.
As per Communication and Information Technology Ministry of Iran, the attack managed to affect nearly 3,500 switches and most of them were restored immediately.
حدود ۳۵۰۰ مسیریاب از مجموع چندصد هزار مسیریاب شبکه کشور متاثر از حمله شدهاند. عملکرد شرکتها در دفع حمله و بازگردانی به شرایط عادی مناسب ارزیابی شده است. ضعف در اطلاع رسانی مرکز ماهر به شرکتها و نیز ضعف در پیکره بندی مراکز داده وجود داشته است
— MJ Azari Jahromi (@azarijahromi) April 7, 2018
Cisco had already issued an alert in November 2017, claiming that a rise in scans of exploitable Smart Client switches was observed by the company and that state-sponsored hackers were trying to target critical infrastructure using the flaw. US-CERT also released an advisory recently in which it hinted on the involvement of a Russian hacker collective called Dragonfly in targeted attacks against Cisco switches.
It is identified that the issue wasn’t actually a vulnerability in the real sense because Cisco stated that it hasn’t observed attacks carried out after exploiting the remote code execution flaw in the already patched Smart Install.
Kaspersky Lab researchers claim that somebody has developed a bot that conducts the abovementioned exploit attacks automatically. The bot rewrites the configuration file and displays the message after which it disables the switch. Kaspersky also stated that a majority of targets include Russian data centers and ISPs.
As per the estimation of Cisco Talos Intelligence researchers, approx. 168,000 Smart Install devices are not securely configured, and hence, are vulnerable to exploitation. Another China-based security firm Qihoo 360’s Network Security Research Lab stated that the attacks aren’t related to CVE-2018-0171 and instead rely upon a Smart Install exploitation tool that is publicly available.
Another security researcher states that hackers did exploit CVE-2018-0171 and another security firm Kudelski Security seconded the claim that the attacks exploited CVE-2018-0171. Kudelski Security further added that apart from CVE-2018-0171, the attacks also exploited a recently disclosed IOS flaw tracked as CVE-2018-0156.
