A flaw in the routers of Cisco Smart Install Client was misused by a group of cyber miscreants to bring down Internet services on a global scale. Over 200,000 router switches across the world were affected by this attack, of which 3500 were from Iran, according to the country’s official news agency IRNA. According to Iran’s IT Minister Mohammas Javad Azari-Jahromi, Europe, India, and the U.S. were among those countries affected by the attack. The screens of the hacked machines had an image of the U.S. flag with the message “Don’t mess with our elections.”
On April 5, 2018, Cisco’s Talos Intelligence group announced on its official blog, “As part of the Cisco Talos investigation, we began looking at how many devices are potentially vulnerable to this attack. The results were extremely troubling. Using Shodan, Talos was able to identify that more than 168,000 systems are potentially exposed via the Cisco Smart Install Client. This is an improvement from the reported numbers in 2016, when fellow cyber security firm Tenable reported observing 251,000 exposed Cisco Smart Install Clients. There may be variations in methodology between the scans, but this still represents a substantial reduction in available attack surfaces.”
The IT and networking company also acknowledged the existence of ‘specific advanced actors’ aiming at Cisco switches by taking advantage of the vulnerability in the routers. They also mentioned in the blog that these cyber heists are believed to have been carried out by nation-state actors, similar to those mentioned by United States Computer Emergency Readiness Team. The IT service-provider is taking all necessary steps and has advised its customers of the situation and all helpful measures to be taken. Cisco’s Product Security Incident Response Team (PSIRT) had issued a red flag in 2017 on the vulnerability of the active scanning design of Cisco Smart Install Clients. They had even released an open source tool to aid in identifying any tools that use the same protocol.
