A new hacking group named ‘JHT’ has hacked a large number of CISCO devices of the Russian and Iranian organizations during the previous week. They left a message “Don’t mess with our elections” an American flag.
Iranian Communication and Information Technology Minister Mr MJ Azari Jahromi, said that the campaign has affected nearly 3,500 network switches in Iran, most of which were restored already.
This hackers group is believed to be aiming at numerous vulnerable installations of Cisco Smart Install Client which is a legacy plug-and-play utility that has been designed to help administrators configure and deploy Cisco equipment remotely. This is enabled by default on Cisco IOS and IOS XE switches and runs over TCP port 4786.
A remote code execution vulnerability (CVE-2018-0171) in Cisco Smart Install Client allows the hackers to have complete control of the network equipment and this is considered to be a key to the attack.
When the devices are hacked they are reset and are made unavailable. The hackers are misusing the Smart Install protocol to overwrite the device configuration, instead of exploiting a vulnerability.
Cisco explains that the Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands.
Chinese security firm called Qihoo 360’s Netlab affirms that the hacking campaign launched by JHT group is not based on the code execution vulnerability instead the attack is caused due to the lack of any authentication in the Cisco smart install protocol which was disclosed in March last year.
Internet scanning engine Shodan reports that more than 165,000 systems are still unprotected on the Internet running Cisco Smart Install Client over TCP port 4786.
Smart Install Client has been designed to allow remote management on Cisco switches and so the system administrators must enable it and also limit its access using Interface access control lists (ACLs).
Administrators who do not use the Cisco Smart Install feature must disable it fully using the configuration command—”no vstack.”
Even though the attacks are not based on the vulnerability CVE-2018-0171, administrators advice to install patches to address the same, because the technical details and proof-of-concept (PoC) are already available on the Internet and the attackers can easily launch their next attack holding this flaw.