Video: Cisco patches critical Smart Install flaw: 8.5 million devices affected
Hackers on Friday attacked vulnerable Cisco switches at data centers in Russia and Iran, leaving an image of the US flag and the message: "Don't mess with our elections".
Cisco last month released a patch for a critical vulnerability affecting Smart Install software. However, the Friday attacks exploited a Smart Install "protocol misuse" issue that Cisco issued an alert over on Thursday.
The company warned it had observed a spike in scans for vulnerable Smart Client switches, and said nation-state hackers are looking to exploit it to target critical infrastructure providers.
It also pointed to a recent advisory from US-CERT concerning attacks on critical infrastructure by a Russian hacking group known as Dragonfly.
Cisco warned that remote attackers could send Smart Install protocol messages to Smart Install clients to alter the startup configuration file, trigger a reload, and then load a new image of Cisco's IOS networking software that allows the attack to issue remote commands to the switches.
The issue was not a vulnerability in the strictest sense, and Cisco said it had not seen attacks attempting to exploit the remote code execution flaw in Smart Install it patched last month.
According to Kaspersky, someone has developed a bot that automatically carries out the steps described in Cisco's alert after identifying vulnerable Smart Install switches via the Shodan search engine.
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version
Once identified, the bot rewrites the configuration file and displays the calling card: "Don't mess with out elections.... --JHT firstname.lastname@example.org". It then disables the switch. Kaspersky noted that mostly Russian ISPs and data centers are being targeted.
A person using that email address told Motherboard: "We were tired of attacks from government-backed hackers on the United States and other countries... We simply wanted to send a message."
The hackers said they scanned many countries for vulnerable Cisco switches but only attacked devices in Russia and Iran. They also claimed to have fixed insecurely-configured switches in the US and UK.
Cisco's Talos Intelligence researchers estimate there are around 168,000 Smart Install instances that probably haven't been configured securely. It issued the alert because of a huge uptick since November in scans for the port used by Smart Install.
Iran's Communication and Information Technology Ministry said around 3,500 Cisco switches in Iran were affected by the attack, according to Reuters.
By Saturday, 95 percent of the affected switches had been restored, Iran's ICT Minister MJ Azari Jahromi said in a tweet.
Previous and related coverage
Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that's open by default.
Cisco patches two serious authentication bugs and a Java deserialization flaw.
A proof-of-concept exploit for Cisco's 10-out-of-10 severity bug surfaces days after researcher details his attack.
Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was
Updated: Cisco should do more to help companies secure their network gear, says one customer.
The attack targets the Cisco Smart Install Client, and as many as 168,000 systems could be vulnerable.