Was there a known security vulnerability? You bet there was
Iran was hit with a cyber-attack over the weekend, as assailants targeted vulnerable Cisco switches, bringing data centers and internet service providers (ISPs) within the country to a standstill.
A number of other nations, including Russia, were also affected by the attack on Friday, where 200,000 router switches were reportedly compromised – 3,500 of these in Iran.
This caused disruption to web services, with 95% of routers back up and running later that evening, Iran’s IT minister Mohammad Javad Azari-Jahromi said over Twitter.
An impact on services in Europe, India, China and the United States was also reported.
The attackers distinctly left an image of an American flag on computer screens with a message that read: “Don’t mess with our elections”.
Rumours circulated attributing the attack to a known hacking group, responsible for sophisticated attacks on major infrastructure.
But the recent hit on computing facilities was no cultivated intrusion, as a vulnerability in Cisco’s Smart Install Client allowed attackers to input malicious code, gaining access and control of the desired networks.
Cisco’s Talos security unit had warned about the exploit on Thursday, providing instructions for users to mitigate the issue.
It also released a patch the week before to counteract the remote code execution (RCE) flaw discovered in its switches.
The company said that the software flaw was being leveraged by state-actors, citing a release circulated in March by the United States Computer Emergency Readiness Team (US-CERT) that drew similarities to cyber-attacks on American infrastructure, thought to be attributed to the Kremlin.
According to Motherboard, the culprits, who were contacted through an email address left on infected devices, had scanned various countries for vulnerable systems in an effort to improve security, claiming to have fixed problems on machines in both the US and UK.
“We simply wanted to send a message,” they told the publication.
“We were tired of attacks from government-backed hackers on the United States and other countries.”
Iran’s Telecommunications Ministry said that the timing of the attack indicated that it had not originated in the Middle East, while cybersecurity firm Symantec attributed the incident to the Dragonfly hacking group.
Dragonfly, active since 2011, has been known for sophisticated campaigns targeted on Western infrastructure within the energy sector, Symantec reports.
The Smart Install Client has been a point of concern for over a year, particularly after Cisco noticed an increase in scanning for systems using the software in February 2017.
Using the Shodan search engine, Cisco found that some 168,000 systems around the world currently had vulnerabilities due to the use and failure to amend vulnerabilities in Smart Install Client.