The message “Don’t mess with our elections” followed by a U.S. flag appeared on Iranian and Russian screens after a hacker group exploited Cisco Smart Install Client on vulnerable machines. The hackers claim to have targeted only the computer infrastructure in Iran and Russia during the attack on Friday night.
Reuters reported that Iran’s Communication and Information Technology Ministry said, “The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country.”
Researchers from Cisco’s Talos reportedly used Shodan to find over 168,000 systems potentially exposed via the Cisco Smart Install Client. The researchers don’t call it a vulnerability, but a “protocol misuse issue.” That is what it was called back in an “informational” Cisco Security Advisory issued in 2017. Cisco’s Security Advisory issued on Friday, however, lists it as a critical vulnerability.
The flaw in Cisco Smart Install Client allows attackers to run arbitrary code on vulnerable switches. Kaspersky Lab said the attack hit datacenters and internet providers across the globe; the attackers would “rewrite the Cisco IOS image on the switches and change the configuration file, leaving a message that reads ‘Do not mess with our elections’ there. The switch then becomes unavailable.”
Kaspersky Lab added that the attack was “mostly targeting the Russian-speaking segment of the Internet, yet other segments are clearly more or less affected as well.”
According to screenshots, a hacker group going by “JHT” claimed responsibility for the American flag and message left on Iranian and Russian screens.
As for the why, a spokesperson for the group told Motherboard, “We were tired of attacks from government-backed hackers on the United States and other countries.”
In a blog post from Thursday, Talos researchers linked to US-CERT alert issued in March about “Russian government cyber activity targeting energy and other critical infrastructure sectors.” Motherboard suggested that is what set the vigilante hackers off.
They claimed a scan showed numerous countries with vulnerable systems, but they only attacked Russia and Iran; “We simply wanted to send a message.”
Mohammad Javad Azari-Jahromi, the ICT Minister of Iran, is quoted by Reuters as saying, “Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent.” He later tweeted that 95 percent of the attacked routers in Iran had been restored to normal service.
Kaspersky pointed out that Cisco’s Smart Install does not require authentication by design and suggested mitigations for system admins.
To check if Smart Install is working you can run the “show vstack config” command on your switch. If the switch responds positively, which means that Smart Install is enabled, it’s better to disable it with the no vstack command.
That won’t work in all cases, as the no vstack command will only persist in some Cisco operating systems releases until the switch is rebooted. Then an upgrade or downgrade of the system version may be advised.
Kaspersky also advised:
If your business-processes do not allow to shut down Smart Install, or version of your Cisco OS do not support “no vstack” command (and it is quite possible — it was added with one of the patches), then you should limit connections to port 4786.