Did nation state hackers target computer networks of Iran by exploiting a flaw with Cisco routers?
“Advanced actors” have exploited a flaw with Cisco routers to launch an attack at the weekend that apparently hit 200,000 routers around the world.
This included 3,500 switches in Iran, according to that country’s Communication and Information Technology Ministry, as reported by Iran’s official news agency IRNA.
And there is a suspicion that these “advanced actors” could have been working for a nation state, after computer screens in data centres in Iran were left with the image of a US flag on screens along with a warning: “Don’t mess with our elections”.
The Iranian statement said the attack, which hit ISPs and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco.
The networking giant had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian new year holiday.
“Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client,” blogged Nick Biasini, threat researcher at Cisco’s Talos Security Intelligence and Research Group.
“Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol,” wrote Biasini. “Some of these attacks are believed to be associated with nation-state actors, such as those described in US CERT’s recent alert. As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.”
The Cisco Smart Install Client is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches. But it seems that hackers have found how to exploit this, as the Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.
“Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately,” warned Biasini. “Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability. Recent information has increased the urgency of this issue.”
Cisco’s Talos said it was able to identify that more than 168,000 systems are potentially exposed via the Cisco Smart Install Client.
“In order to secure and monitor perimeter devices, network administrators need to be especially vigilant,” Biasini warned. “It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed.”
“Having observed attackers actively leveraging this vector, Cisco strongly encourages all customers to review their architecture, use the tools provided by Talos to scan their network, and remove Cisco Smart Install Client from all devices where it is not used,” he wrote.
According to Reuters, Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the US flag and the hackers’ message. He said it was not yet clear who had carried out the attack.
Azari-Jahromi said the attack mainly affected Europe, India and the United States, state television reported.
“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” Azari-Jahromi was quoted as saying.
Iran was famously hit by the Stuxnet worm that attacked systems controlling Iranian uranium processing centrifuges back in 2010.
It is widely believed that US’ National Security Agency (NSA) worked with the Israeli government to create the program.
Do you know all about security? Try our quiz!