The astronomical CYBER Attack Against ISP's & Data Centres globally, More than 200,000 Cisco Switches Hacked

World wide the biggest Hackers Group Performing exclusive Cyber attack against ISPs, data centers around the world by compromising Cisco switches. As per the report Hackers compromising more than 200,000 Cisco devices across the world in this widespread attack, including 3,500 switches in Iran country.A newly discovered  Remote Code Execution model that affected the Cisco switches. in this script the Smart Install Client allows an attacker to gain the full control of the Vulnerable Cisco switch deployed networks.Iranian and Russian countries are mainly affected and hackers have left the image of a U.S. flag on screens that also contains a warning message: "Don’t mess with our elections"

According to Motherboard Report, The hackers admitted that they did scan many countries for the vulnerable systems, including the UK, US, and Canada, but only “attacked” Russia and Iran, perhaps referring to the post of an American flag and their message.

This Cyber Attack initially hit the ISPs and stop the web access for subscribers by exploiting the vulnerability in Cisco switches that contains a critical Remote code execution model. This Attack initiated by an unknown threat actor(agent) that is exploiting a vulnerability in a piece of software called Cisco Smart Install Client, which allows them to run wild code and this leads attacker to reset the vulnerable Cisco Switches to its default configuration.Based on the Cisco investigation using Shodan and they were identified more than 168,000 systems already successfully exploited and another investigation produced by Tenable security revealed that 251,000 exposed Cisco Smart Install Clients around the world.

Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the U.S. flag and the hackers message. He said it was not yet clear who had carried out the Cyber Attack.He said in another Tweet, “Approximately 3,500 routers come from a total of hundreds of thousands of nationwide network routers affected by the Cyber Attack. The performance of companies has been evaluated in repelling and restoring normal conditions. Weakness in informing the skilled center to companies and the weakness in the configuration of data centers have been”

Based on the Reuters Statment, This Cyber Attack mainly affected  Europe, India and the United States, in this case, Some 55,000 devices were affected in the United States and 14,000 in China.Over 200,000 Cisco networks switches worldwide were hackedFriday, apparently affecting large internet service providers and data centers across the world, especially in Iran, Russia, the United States, China, Europe and India, according to an Iranian government official.

The growth of the Green-horn :

As per the hackers note controlled by email "We were tired of attacks from government-backed hackers on the United States and other countries." If you take the reported motivations of the attackers at face value, then you have to view compromised devices in the U.S. as collateral damage. It wasn't their intent to target them, but the internet doesn't always have clear national borders.The summary is "The more visible the threat, the less dangerous it is".The vulnerability is severe enough to cause a lot of damage and implant a man-in-the-middle agent, but it doesn't look like the attacker took advantage of it,which had no intention to inflict serious damage.

ARE all the Targets Pre-Defined ?

Iran's minister for communication and information technology, Mohammad Javad Azari-Jahromi, says in a statement: "The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country." About 55,000 devices were affected in the U.S. and 14,000 in China; other victims were located in Europe and India, Azari-Jahromi reports.The hacker attack on Cisco router equipment apparently exploited a vulnerability in software called Cisco Smart Install Client, which allows hackers to run arbitrary code on the vulnerable switches, according to a blog by Kaspersky Lab.The hackers apparently reset the targeted devices, making them unavailable for reconfiguration and leaving a message that reads: "Do not mess with our election," displaying a U.S. flag on some screens, Kaspersky Lab explains.

The statement from Iran's Azari-Jahromi says the attack, which hit internet service providers and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco, which had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian New Year holiday.

Capitalisation of Risk and Vulnerability for this Attack :

As per Kaspersky Lab assertment  "It seems that there's a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco's own utility that is designed to search for vulnerable switches). Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the configuration and thus takes another segment of the Internet down. That results in some data centers being unavailable, and that, in turn, results in some popular sites being down."

In an advisory on Cisco switch vulnerability issued Monday, the Indian Computer Emergency Response Team stated multiple vulnerabilities have been reported in Cisco IOS XE ,which could be exploited by a remote attacker to send a crafted packet to an affected device and gain full control also conduct denial of service condition.

Given that the Cisco Smart Install device enables easy plug-n-play configuration and image management functionality, attackers can change TFTP, Trivial File Transfer Protocol, server address on clients and also copy client's configuration file, while executing random commands on the client device, he notes.

How to be Safe (Remedy) from this attack :

Cisco's Biasini recommends that the simplest way to mitigate these issues is to run the command "no vstack config" on the affected device. If, for some reason, that option isn't available, the best option would be to restrict access via an access control list for the interface.

Barclays' Dhar notes: "The important measure is to disable vstack if Smart Install is not required and if it is required, make sure you limit connections to port 4786 via interface access control list.”

How INDIA is affected in this Attack and vulnerability  …. ???

According to Cisco's Smart vulnerability Shodan report, India's top 10 cities and top ISPs, including Tata Communications, Khetan Cable Network Pvt. Ltd. Rack Bank Datacenters Private Ltd., Sify Ltd, Excelmedia, as well as top domains, including vsnl.net.in,sify.net, asianet.co.in, airtel.in, among others, carried Cisco Smart Install Port 4786 switch vulnerabilities.

CERT-In also confirmed that Indian ISPs and data centers were vulnerable to Cisco switch attacks because a vulnerability exists in Cisco IOS Software and Cisco IOS XE Software due to an undocumented user account with privilege level 15 that has a default username and password. A remote attacker could exploit this vulnerability by using this account to remotely connect with affected device. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service condition, it said.

The vulnerability has enabled the attacker to run random codes along with resetting to factory default setting, which has resulted in giving access to critical IT infrastructure at data centre or ISP.

For large enterprises, is to create an "up-to-date inventory of network devices and software deployed" to help track the vulnerabilities. This will enable you to assess how many of your Cisco network equipment have port 4786 open, and this process will help CISOs easily identify affected machines and take remedial actions.

BEST Practices & CISCO's Advice 

The best practice to prevent such vulnerabilities would be implementing vulnerability management solutions to scan/detect and fix in real time such threats caused by device software issues. Investing in a layered security plan with effective patch deployment for known vulnerabilities can help prevent attacks.

Nick Biasini, threat researcher at Cisco Talos, said in a blog post that by using computer search engine Shodan, it discovered over 168,000 systems are potentially exposed via the Cisco Smart Install Client in 2017, which is an improvement from the reported numbers in 2016, when Tenable reported observing 251,000 exposed Cisco Smart Install Clients.Cisco's executives believe that the hackers have taken advantage of the vulnerabilities, according to the blog.

Biasini says that Cisco's Product Security Incident Response Team, after becoming aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue, issued an advisory detailing active scanning associated with Cisco Smart Install Clients, a legacy utility designed to allow no-touch installation of Cisco switches.

Cisco contends that the attacks on ISPs and data centers are likely associated with nation-state actors, such as those described in the U.S. CERT's recent alert, which stated that Russian government cyber activity is targeting energy and other critical infrastructure sectors.