200,000 Cisco Network Switches Reportedly HackedWhat Remediation Steps Should Be Taken?
Over 200,000 Cisco network switches worldwide were hacked Friday, apparently affecting large internet service providers and data centers across the world, especially in Iran, Russia, the United States, China, Europe and India, according to an Iranian government official.
See Also: Automating Security Operations
The impact of the attack, including data loss, is not yet clear. It's also not yet clear who carried out the attack.
But Motherboard reports that someone in control of an email address left in the note on affected machines told the publication: "We were tired of attacks from government-backed hackers on the United States and other countries."
Tim Erlin, a vice president at Tripwire, notes: "If you take the reported motivations of the attackers at face value, then you have to view compromised devices in the U.S. as collateral damage. It wasn't their intent to target them, but the internet doesn't always have clear national borders."
Avivah Litan, vice president at Gartner Research, offers insights on who might be responsible. "Because the attack is so visible, it seems more like the work of anarchic hactivists like Anonymous, who make anarchistic political statements in a very visible way," she says. "My take is that the more visible the threat, the less dangerous it is. These guys seems like a bunch of crazy, over-the-top, angry amateur hackers trying to get global attention. I wouldn't look for much logic in their targets - other than they are designed to get them the most attention."
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, adds: "This doesn't look like a serious cyberattack by a well-organized and funded threat actor [nation-state]. The vulnerability is severe enough to cause a lot of damage and implant a man-in-the-middle agent, but it doesn't look like the attacker took advantage of it. I suspect this is the work of a hacktivist group with sympathy toward the U.S., which had no intention to inflict serious damage."
Iran's minister for communication and information technology, Mohammad Javad Azari-Jahromi, says in a statement: "The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country."
About 55,000 devices were affected in the U.S. and 14,000 in China; other victims were located in Europe and India, Azari-Jahromi reports.
The hacker attack on Cisco router equipment apparently exploited a vulnerability in software called Cisco Smart Install Client, which allows hackers to run arbitrary code on the vulnerable switches, according to a blog by Kaspersky Lab.
The hackers apparently reset the targeted devices, making them unavailable for reconfiguration and leaving a message that reads: "Do not mess with our election," displaying a U.S. flag on some screens, Kaspersky Lab explains.
The statement from Iran's Azari-Jahromi says the attack, which hit internet service providers and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco, which had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian New Year holiday.
Nick Biasini, threat researcher at Cisco Talos, said in a blog post that by using computer search engine Shodan, it discovered over 168,000 systems are potentially exposed via the Cisco Smart Install Client in 2017, which is an improvement from the reported numbers in 2016, when Tenable reported observing 251,000 exposed Cisco Smart Install Clients.
Cisco's executives believe that the hackers have taken advantage of the vulnerabilities, according to the blog.
Biasini says that Cisco's Product Security Incident Response Team, after becoming aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue, issued an advisory detailing active scanning associated with Cisco Smart Install Clients, a legacy utility designed to allow no-touch installation of Cisco switches.
Cisco contends that the attacks on ISPs and data centers are likely associated with nation-state actors, such as those described in the U.S. CERT's recent alert, which stated that Russian government cyber activity is targeting energy and other critical infrastructure sectors.
In its blog post, Kaspersky Lab states: "It seems that there's a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco's own utility that is designed to search for vulnerable switches). Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the configuration and thus takes another segment of the Internet down. That results in some data centers being unavailable, and that, in turn, results in some popular sites being down."
In an advisory on Cisco switch vulnerability issued Monday, the Indian Computer Emergency Response Team stated multiple vulnerabilities have been reported in Cisco IOS XE ,which could be exploited by a remote attacker to send a crafted packet to an affected device and gain full control also conduct denial of service condition.
"The massive cyberattack has exploited a vulnerability in Cisco switches and severely impacted the critical infrastructure across countries, with India being no exception, which has over 3,900 critical infrastructure devices which are potentially vulnerable," says Sumit Dhar, India head of Resilience & Global Resilience Partner, Barclays Bank.
Given that the Cisco Smart Install device enables easy plug-n-play configuration and image management functionality, attackers can change TFTP, Trivial File Transfer Protocol, server address on clients and also copy client's configuration file, while executing random commands on the client device, he notes.
Cisco's Biasini recommends that the simplest way to mitigate these issues is to run the command "no vstack config" on the affected device. If, for some reason, that option isn't available, the best option would be to restrict access via an access control list for the interface.
Barclays' Dhar notes: "The important measure is to disable vstack if Smart Install is not required and if it is required, make sure you limit connections to port 4786 via interface access control list."
Vulnerabilities in India
According to Cisco's Smart vulnerability Shodan report, India's top 10 cities and top ISPs, including Tata Communications, Khetan Cable Network Pvt. Ltd. Rack Bank Datacenters Private Ltd., Sify Ltd, Excelmedia, as well as top domains, including vsnl.net.in, sify.net, asianet.co.in, airtel.in, among others, carried Cisco Smart Install Port 4786 switch vulnerabilities.
CERT-In also confirmed that Indian ISPs and data centers were vulnerable to Cisco switch attacks because a vulnerability exists in Cisco IOS Software and Cisco IOS XE Software due to an undocumented user account with privilege level 15 that has a default username and password. A remote attacker could exploit this vulnerability by using this account to remotely connect with affected device. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service condition, it said.
Sriram S, Co-founder of iValue InfoSolutions Pvt. Ltd., a managed service provider, notes: "The vulnerability has enabled the attacker to run random codes along with resetting to factory default setting, which has resulted in giving access to critical IT infrastructure at data centre or ISP."
Avinash Prasad, vice president and head of the managed security services business at Tata Communications, says his team has been tackling the Cisco switch vulnerabilities and trying to fix issues.
Because all software can have vulnerabilities, Ashish Thapar , managing principal-APJ, Verizon, says it's critical that companies "harden their systems to only expose minimal functionalities/services/ports/protocols to limit their attack surface."
Also critical, says Sandesh Anand, a security consultant with a global electronic automation company, is to create an "up-to-date inventory of network devices and software deployed" to help track the vulnerabilities. This will enable you to assess how many of your Cisco network equipment have port 4786 open, and this process will help CISOs easily identify affected machines and take remedial actions," Anand says.
Sriram of iValue InfoSolutions adds: "The best practice to prevent such vulnerabilities would be implementing vulnerability management solutions to scan/detect and fix in real time such threats caused by device software issues." Investing in a layered security plan with effective patch deployment for known vulnerabilities can help prevent attacks, he adds.
ISMG editors Suparna Goswami, Varun Haran and Nick Holland contributed to this story.