“Advanced actors” have exploited a flaw with Cisco routers to launch an attack at the weekend that apparently hit 200,000 routers around the world.

This included 3,500 switches in Iran, according to that country’s Communication and Information Technology Ministry, as reported by Iran’s official news agency IRNA.

And there is a suspicion that these “advanced actors” could have been working for a nation state, after computer screens in data centres in Iran were left with the image of a US flag on screens along with a warning: “Don’t mess with our elections”.

Router flaw

The Iranian statement said the attack, which hit ISPs and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco.

The networking giant had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian new year holiday.

“Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client,” blogged Nick Biasini, threat researcher at Cisco’s Talos Security Intelligence and Research Group.

“Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol,” wrote Biasini. “Some of these attacks are believed to be associated with nation-state actors, such as those described in US CERT’s recent alert. As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.”

The Cisco Smart Install Client is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches. But it seems that hackers have found how to exploit this, as the Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.

“Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately,” warned Biasini. “Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability. Recent information has increased the urgency of this issue.”

Cisco’s Talos said it was able to identify that more than 168,000 systems are potentially exposed via the Cisco Smart Install Client.

“In order to secure and monitor perimeter devices, network administrators need to be especially vigilant,” Biasini warned. “It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed.”

“Having observed attackers actively leveraging this vector, Cisco strongly encourages all customers to review their architecture, use the tools provided by Talos to scan their network, and remove Cisco Smart Install Client from all devices where it is not used,” he wrote.

Iran attack

According to Reuters, Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the US flag and the hackers’ message. He said it was not yet clear who had carried out the attack.

Azari-Jahromi said the attack mainly affected Europe, India and the United States, state television reported.

“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” Azari-Jahromi was quoted as saying.

Iran was famously hit by the Stuxnet worm that attacked systems controlling Iranian uranium processing centrifuges back in 2010.

It is widely believed that US’ National Security Agency (NSA) worked with the Israeli government to create the program.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago