• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 15th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Cyber Events
Cyber Attacks

Hackers leave US flag after targeting Cisco switches in Russia & Iran

April 9th, 2018 Waqas Hacking News, Cyber Attacks 0 comments
Hackers leave US flag after targeting Cisco switches in Russia & Iran
Share on FacebookShare on Twitter

Cisco switches at data centers located in Iran and Russia became the target of hackers this Friday. Reportedly, Cisco devices were hijacked through the exploitation of their Smart Install feature. After attacking the vulnerable switches, hackers rewrote their IOS image with that of an image of the US flag and the following message was uploaded:

“Don’t mess with our elections…–JHT usafreedom_jht@tutanota.com.”

To achieve this, hackers changed the configuration of Cisco switches and used ASCII art to upload the message. It must be noted that Cisco already released a patch for a critical flaw (CVE-2018-0171) in its Smart Install software. However, reports suggest that the attacks were successfully conducted by abusing the protocol misuse issue of the Smart Install.

Cisco warned in a recent security alert that remote hackers might send Smart Install protocol messages to Smart Install clients for modifying startup configuration file.

Hackers, who refer to themselves as JHT, stated that they wanted to warn state-sponsored hackers trying to target the US and other countries through this attack. Currently, hackers explained, they have attacked devices in Iran and Russia only while a majority of vulnerable devices located in the US and UK were patched by them. Their objective was to trigger a reload to upload an image by replacing Cisco’s IOS networking software. This allowed the attackers to issue remote commands to the switches.

A significant number of switches has been attacked, which hints at the possibility of a full-fledged hacktivist campaign that has been initiated to register protest against election-related hacking. As of now, it isn’t clear whether the attack is conducted by exploiting a newly identified flaw or a result of abuse method known for over a year.

Cisco Switched in Russia & Iran Attacked- Hacker Upload Pro-US Message

As per Communication and Information Technology Ministry of Iran, the attack managed to affect nearly 3,500 switches and most of them were restored immediately.

حدود ۳۵۰۰ مسیریاب از مجموع چندصد هزار مسیریاب شبکه کشور متاثر از حمله شده‌اند. عملکرد شرکتها در دفع حمله و بازگردانی به شرایط عادی مناسب ارزیابی شده است. ضعف در اطلاع رسانی مرکز ماهر به شرکتها و نیز ضعف در پیکره بندی مراکز داده وجود داشته است

— MJ Azari Jahromi (@azarijahromi) April 7, 2018

Cisco had already issued an alert in November 2017, claiming that a rise in scans of exploitable Smart Client switches was observed by the company and that state-sponsored hackers were trying to target critical infrastructure using the flaw. US-CERT also released an advisory recently in which it hinted on the involvement of a Russian hacker collective called Dragonfly in targeted attacks against Cisco switches.

It is identified that the issue wasn’t actually a vulnerability in the real sense because Cisco stated that it hasn’t observed attacks carried out after exploiting the remote code execution flaw in the already patched Smart Install.

Kaspersky Lab researchers claim that somebody has developed a bot that conducts the abovementioned exploit attacks automatically. The bot rewrites the configuration file and displays the message after which it disables the switch. Kaspersky also stated that a majority of targets include Russian data centers and ISPs.

As per the estimation of Cisco Talos Intelligence researchers, approx. 168,000 Smart Install devices are not securely configured, and hence, are vulnerable to exploitation. Another China-based security firm Qihoo 360’s Network Security Research Lab stated that the attacks aren’t related to CVE-2018-0171 and instead rely upon a Smart Install exploitation tool that is publicly available.

Another security researcher states that hackers did exploit CVE-2018-0171 and another security firm Kudelski Security seconded the claim that the attacks exploited CVE-2018-0171. Kudelski Security further added that apart from CVE-2018-0171, the attacks also exploited a recently disclosed IOS flaw tracked as CVE-2018-0156.

  • Tags
  • Cisco
  • Cyber Attack
  • cyber war
  • internet
  • Iran
  • Router
  • Russia
  • security
  • Technology
  • USA
Facebook Twitter LinkedIn Pinterest
Previous article How to Delete Your Facebook Account Permanently - 2018 Guide
Next article Two Latest Cyber Security Threats & How To Protect Against Them
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
ShinyHunters dump partial database of broker firm Upstox

ShinyHunters dump partial database of broker firm Upstox

Hackers leak data, 600k card info from Swarmshop cybercrime forum

Hackers leak data, 600k card info from Swarmshop cybercrime forum

Cl0p ransomware gang leaks sensitive data from 6 US universites

Cl0p ransomware gang leaks sensitive data from 6 US universites

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Unpatched MS Exchange servers hit by cryptojacking malware
Security

Unpatched MS Exchange servers hit by cryptojacking malware

Indian supply-chain giant Bizongo exposed 643GB of sensitive data
Leaks

Indian supply-chain giant Bizongo exposed 643GB of sensitive data

FBI accessing computers across US to remove malicious web shells
Security

FBI accessing computers across US to remove malicious web shells

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us