Unidentified hackers misused hundreds of thousands of Cisco Systems switches to take control of networks across the world and deliver an ominous warning not to interfere with future U.S. elections.
The incident took place on Apr. 6, as network and data center operators observed a U.S. flag composed of text characters on their computer screens along with the following message: “Don’t mess with our elections.” Affected switches were also rendered inoperable during the attack, which appears to also have affected the operations of some websites and denied web access to some ISP subscribers.
The hackers hijacked the switches by capitalizing on the Cisco Smart Install Client, a legacy utility used for the remote configuration and OS image-management of Cisco switches, whose protocol can be abused by unauthenticated, remote attackers to change configuration files, force a reload of the device, load a new IOS (Internetwork Operating System) image, and then execute high-privilege commands via the command-line interface.
As first noted by Reuters, Iran’s Communication and Information Technology Ministry disclosed the incident in a statement that claimed the U.S., Europe and India were mainly affected. “Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” said Iran’s IT Minister Mohammad Javad Azari-Jahromi, according to Reuters. Iran further reported that the attack affected 200,000 router switches in total, including 3,000 within its borders.
Through its Talos threat research division, Cisco Systems reported via blog post last Thursday the company recently became “aware of specific advanced actors targeting Cisco switches” via the Small Install protocol, in order to target critical infrastructure. That report, however, does not allude to Friday’s hacktivism-style attack, but rather activity by alleged Russian nation-state actors that was reported by the U.S. CERT.
Also, last February, Talos reported an uptick in active internet scanning for exploitable Small Install protocols. In reaction, Cisco developed its own utility that users can run against their infrastructure to determine if it is prone to Smart Install protocol abuse.
In regards to this latest incident, “It seems that there’s a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco’s own utility that is designed to search for vulnerable switches),” the Kaspersky Lab report states. “Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the config – and thus takes another segment of the internet down. That results in some data centers being unavailable, and that, in turn, results in some popular sites being down.”
According to Talos, its researchers performed a recent Shodan scan that identified more than 168,000 systems that were potentially exposed via the Cisco Smart Install Client. Talos said that device owners can determine if their hardware is affected by running the command “show vstack config” to see if the Smart Install Client is active, and they can mitigate the problem by either running the command “no vstack” on the affected device or restricting access via an access control list for the interface.
In an April 7 article, Motherboard reported that the hackers behind the election message revealed their motive to the media outlet. “We were tired of attacks from government-backed hackers on the United States and other countries,” said an individual who Motherboard says controls an email address that was included in the hackers’ note. “We simply wanted to send a message.”