Proof-of-concept exploit code for a just-fixed vulnerability affecting Cisco switches ended up exploited to hit networks and data-centers in Russia and Iran.
After exploiting the flaw, attackers released code that allowed them to rewrite the Cisco IOS image on the switches and change the configuration file, leaving a message that reads “Do not mess with our elections,” said researchers at Kaspersky Lab.
“It seems that there’s a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco’s own utility that is designed to search for vulnerable switches). Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the config – and thus takes another segment of the Internet down,” the Kaspersky researchers said in a post.
The Iranian Communication and Information Technology Ministry confirmed 3,500 switches in the country have been affected by the attack, but also 200,000 router switches across the world have been hit.
“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” said Iran’s IT Minister Mohammad Javad Azari-Jahromi in a report.
The attackers left a contact email address in the message and Motherboard managed to get in touch with them.
Apparently, the idea was to retaliate for “attacks from government-backed hackers on the United States and other countries.”
Cisco already released security updates that fix the issue, but administrators did not get to implementing them before the attacks happened.
“Two weeks ago, the U.S. Cyber Command published a bold vision document describing ‘continuous engagement’ to ‘persistently contest malicious cyberspace actors.’ Last week, Cisco Talos issued a blog post stating that U.S. critical infrastructure was being targeted by Dragonfly – a group of Russian nation-state hackers also identified in the recent FBI/DHS alert – who were exploiting the same Smart Install bug in Cisco routers,” said Phil Neray, vice president of Industrial Cybersecurity for CyberX, a Boston-based critical infrastructure security company. “Could this breach of Iran’s data centers be the first example of this new and more active approach by the U.S. Cyber Command — or is it a false flag operation by a malicious group?”