Hackers Disrupt Critical Infrastructure Network Using Cisco Smart Install Flaw

Skybox Blog Team April 12, 2018

During the past week, Cisco’s Smart Install Client tool had been compromised by attackers, causing disruptions of the communication infrastructure of approximately 200,000 Cisco routers worldwide.

Cisco’s Smart Install Client is a piece of software which allows customers to deploy new switches remotely with no additional configuration requirements. The vulnerability allows for the misuse of the feature to allow a remote code execution on the router.

In the recent attack, the hackers managed to rewrite the Cisco IOS image on the switches and changed the configuration file leaving the message, “Do not mess with our elections,” along with an image of the U.S. flag.

  • Cisco Smart Install Attack

On March 28, 2018 Cisco published an advisory on the critical CVE-2018-0171 vulnerability in the Smart Install feature, along with the proof-of-concept exploit by Embedi researchers. This was a coordinated release, but it took Cisco six months to fix the vulnerability.

Since the end of March, it seems that a bot is utilizing the IoT search engine Shodan to detect vulnerable devices. Once a vulnerable device is found, the Smart Install Client is exploited to rewrite the config. As a result, some data centers are unavailable and websites are down.

In April, the vulnerability was exploited in the wild, affecting some 200,000 routers across the world:

  • 55,000 devices affected in the U.S.
  • 14,000 devices affected in China
  • 3,500 devices affected in Iran
  • Some devices affected in Russia and other countries

Embedi’s researchers say that a short scan of the internet detected 8.5 million devices that have a vulnerable port open. As the TCP 4786 port is open by default on many Cisco routers, this is cause for alarm.

  • JHT Threat Behind the Smart Install Attack

The new hacking group, calling itself “JHT” appears to be behind the attack, and was carried out in retaliation against attacks “from government-backed hackers in the U.S. and other countries.”

Motherboard has been in contact with the attackers via an email address in the configuration file message. The attackers stated, “We were tired of attacks from government-backed hackers on the United States and other countries.”

  • Cisco Smart Install Vulnerability

The story behind this vulnerability started back in February 2017, when Cisco published an advisory regarding the possible misuse of their Smart Install feature, but stated that this potential risk is a feature, not a bug. We’ve seen how that’s played out.

Now, according to the April 5, 2018 Cisco TALOS post, “The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image and set up accounts, allowing for the execution of IOS commands. Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately.” Shortly after, the attack started.

This vulnerability is especially dangerous as it is a remote code execution vulnerability that does not require user interaction. Because some (or even the majority) of these routers are exposed to the internet, this is especially dangerous vulnerability, and hence the massive attack.

  • Affected Applications and Neutralizing the Threat

Multiple versions of Cisco IOS and IOS-XE routers are affected by this vulnerability.

Skybox users can use the Vulnerability Control module to manage the patching process, and make sure all the exposed routers are properly protected.

Cisco has released security updates that fix the issue. After the update is installed, choose one of the following mitigation options:

  • Run the no vstack command
  • Restrict access to port 4786 via an access control list for the interface

Related Posts

March Patch Tuesday and AMD Processor Vulnerability: CredSSP Vulnerability Main Focus of March Patch Tuesday

Triton Malware Can Remotely Target Critical Infrastructure: Triton malware (aka TRISIS) has joined the limited list of publicly identified malware targeted at operational technology (OT) networks.

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions.

Recent Posts

Functional silos create dysfunctional OT security
Read More
What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More