A flaw in Cisco switches has allowed hackers to target critical infrastructure in many countries with cyberattacks including Iran.
Reports say that important Iranian services and websites have become out of reach due to a problem in the datacentres of major internet service providers Afranet, Shatel, Sabanet, etc.
According to a security report from the Cisco Talos team as many as 168,000 systems in the world may be affected by the flaw.
A blog post by Cisco’s Talos security unit says the cyber-attacks are exploiting what Cisco officials are calling a “protocol misuse” situation in Cisco’s Smart Install Client, which is designed to enable the no-touch installation and deployment of new Cisco hardware, in particular Cisco switches.
Attackers have targeted a protocol issue with the Cisco Smart Install Client. If a user does not configure or turn off the Cisco Smart Install, it will hang out in the background waiting for commands on what to do.
Some reports indicate that some issues in the datacentres have created problems in using some of the popular sites, apps, and messengers in Iran as well many other countries. This has been caused by a disruption or potential attack on the communications infrastructure network in the past few hours.
Iran’s Communication and Information Technology Minister Mohammad Javad Azari-Jahromi has confirmed the attack on the country’s datacentres in a tweet.
The Iranian minister has also said that initial investigations indicate the settings of switching software have been attacked. A picture posted by Azari Jahromi shows the United States’ flag being in the background and a sentence that reads “don’t mess with our (US) elections.” Azari Jahromi has stressed that the attacks are not limited to Iran noting in another tweet that so far, more than 95 percent of switches have resumed their service.
Cisco has issued a warning and urged Smart Install client users to patch and securely configure the software.
Attackers are exploiting a “protocol misuse” issue in Cisco’s Smart Install Client to gain entry to critical infrastructure providers, according to researchers at Cisco’s Talos Intelligence group.
Cisco’s warning over the Smart Install client, a tool for rapidly deploying new switches, comes a week after it released a patch for a critical remote code execution flaw affecting the software.
On March 29, Cisco had warned that at least 8.5 million switches are open to attack.
Researchers have found that millions of Cisco network devices have been left vulnerable by an open TCP 4786 port.
Cisco has also seen a huge uptick in traffic to the TCP 4786 port that began around November 2017 and then spiked in April 2018.
According to Cisco, organizations can determine if a device is impacted by the Smart Install issues by running the command “show vstack config,” which will show if the Smart Install Client is active.
The easiest way to mitigate the issue is to run the command “no vstack” on the affected device. If this isn’t possible, the best option is to restrict access through an access control list for the interface.
Cisco in February 2017 issued an alert after discovering a rise in the number of internet scans for systems where the Smart Install Client was not turned off or configured with the property security controls. Without the right security controls, hackers can send new commands to the switches running Cisco’s IOS or IOS XE network operating system.