Cisco security: Russia, Iran switches hit by attackers who leave US flag on screens

Hackers use Cisco gear to send Russia a message not to mess with US elections.
Written by Liam Tung, Contributing Writer

Video: Cisco patches critical Smart Install flaw: 8.5 million devices affected

Hackers on Friday attacked vulnerable Cisco switches at data centers in Russia and Iran, leaving an image of the US flag and the message: "Don't mess with our elections".

Cisco last month released a patch for a critical vulnerability affecting Smart Install software. However, the Friday attacks exploited a Smart Install "protocol misuse" issue that Cisco issued an alert over on Thursday.

The company warned it had observed a spike in scans for vulnerable Smart Client switches, and said nation-state hackers are looking to exploit it to target critical infrastructure providers.

It also pointed to a recent advisory from US-CERT concerning attacks on critical infrastructure by a Russian hacking group known as Dragonfly.

Cisco warned that remote attackers could send Smart Install protocol messages to Smart Install clients to alter the startup configuration file, trigger a reload, and then load a new image of Cisco's IOS networking software that allows the attack to issue remote commands to the switches.

The issue was not a vulnerability in the strictest sense, and Cisco said it had not seen attacks attempting to exploit the remote code execution flaw in Smart Install it patched last month.

According to Kaspersky, someone has developed a bot that automatically carries out the steps described in Cisco's alert after identifying vulnerable Smart Install switches via the Shodan search engine.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version

Once identified, the bot rewrites the configuration file and displays the calling card: "Don't mess with out elections.... --JHT usafreedom_jht@tutanota.com". It then disables the switch. Kaspersky noted that mostly Russian ISPs and data centers are being targeted.

A person using that email address told Motherboard: "We were tired of attacks from government-backed hackers on the United States and other countries... We simply wanted to send a message."

The hackers said they scanned many countries for vulnerable Cisco switches but only attacked devices in Russia and Iran. They also claimed to have fixed insecurely-configured switches in the US and UK.

Cisco's Talos Intelligence researchers estimate there are around 168,000 Smart Install instances that probably haven't been configured securely. It issued the alert because of a huge uptick since November in scans for the port used by Smart Install.

Iran's Communication and Information Technology Ministry said around 3,500 Cisco switches in Iran were affected by the attack, according to Reuters.

By Saturday, 95 percent of the affected switches had been restored, Iran's ICT Minister MJ Azari Jahromi said in a tweet.

Previous and related coverage

Cisco's warning: Watch out for government hackers targeting your network

Cisco urges Smart Install client users to patch and securely configure the software.

Cisco critical flaw: At least 8.5 million switches open to attack, so patch now

Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that's open by default.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco: Severe bug in our security appliances is now under attack

A proof-of-concept exploit for Cisco's 10-out-of-10 severity bug surfaces days after researcher details his attack.

Cisco: You need to patch our security devices again for dangerous ASA VPN bug

Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was

Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw

Updated: Cisco should do more to help companies secure their network gear, says one customer.

Cisco switch flaw led to attacks on critical infrastructure in several countries (TechRepublic)

The attack targets the Cisco Smart Install Client, and as many as 168,000 systems could be vulnerable.

Editorial standards