Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Hackers appear to be using a script to identify and break misconfigured Cisco switches located in Russia and Iran.
  • One of the purported hackers cited “attacks from government-backed hackers” as motivation for their attack.

Hackers have leveraged a recently disclosed vulnerability in Cisco to attack vulnerable network switches in Russia and Iran, according to a report by Kaspersky Lab. The attackers are breaking the configuration of the switch, and leaving behind the message “Don’t mess with our elections” followed by an ASCII rendition of the American flag, the report said. As a result, websites and data centers that rely on the correct operation of those switches are not functioning.

The vulnerability relates to an implementation flaw in Cisco Smart Install (SMI) Client, which under normal circumstances enables zero-touch installation when installing new switches in a network. The Smart Install Client is always listening unless explicitly disabled, making it possible to “modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.” Previous reporting by TechRepublic’s Conner Forrest provides further details and mitigation steps for the vulnerability.

SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | download the PDF version

For the record, Cisco does not consider this a vulnerability. Because SMI by design allows for unauthenticated remote users to force configuration changes and reboot devices, the company’s official position is that this, and related attacks, constitute a “misuse of the Smart Install protocol,” according to Cisco’s advisory about the situation. The original report by Talos Intelligence (which is owned by Cisco) detailing the situation indicated that a search on Shodan returned 168,000 vulnerable switches.

The attack targeting systems in Russia and Iran may well be the work of script kiddies. In an email exchange with Motherboard, an individual purportedly responsible for the attack stated that: “We were tired of attacks from government-backed hackers on the United States and other countries.”

Motherboard pointed to a utility named Autosploit, which automates searching for vulnerable systems via Shodan and allows for the deployment of Metasploit modules to greatly simplify remote code execution. The Kaspersky report indicates that the attack primarily targets the “Russian-speaking segment of the Internet” though does not show the number of systems affected. Reuters reported that 3,500 switches in Iran were affected by the attack, though over 95% have been repaired, according to Iranian IT Minister Mohammad Javad Azari-Jahromi.

The advisory by Talos Intelligence also noted that nation-state actors have likely leveraged SMI in attacks, specifically in attacks against critical infrastructure. That advisory references a US-CERT report from March 15, 2018 detailing “Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” No Iranian connection has been named by Talos or US-CERT, making the motive for including the country in this attack unclear.

Former NSA Tailored Access Operations member Jake Williams indicated in a series of tweets that the attack against Russia and Iran is unlikely to be state-sponsored.