27 Dec 2024
Saturday 7 April 2018 - 09:13
Story Code : 299730

Iranian databases target of attacks caused by Cisco switch flaw

IFP - A flaw in Cisco switches has allowed hackers to target critical infrastructure in many countries with cyber attacks including Iran.



Reports say that important Iranian services and websites have become out of reach due to a problem in the datacentres of major internet service providers Afranet, Shatel, Sabanet, etc.

According to a security report from the Cisco Talos team as many as 168,000 systems in the world may be affected by the flaw.

A blog post by Ciscos Talos security unit says the cyber-attacks are exploiting what Cisco officials are calling a protocol misuse situation in Ciscos Smart Install Client, which is designed to enable the no-touch installation and deployment of new Cisco hardware, in particular Cisco switches.

Attackers have targeted a protocol issue with the Cisco Smart Install Client. If a user does not configure or turn off the Cisco Smart Install, it will hang out in the background waiting for commands on what to do.

Some reports indicate that some issues in the datacentres have created problems in using some of the popular sites, apps, and messengers in Iran as well many other countries. This has been caused by a disruption or potential attack on the communications infrastructure network in the past few hours.

Irans Communication and Information Technology Minister Mohammad Javad Azari-Jahromi has confirmed the attack on the countrys datacentres in a tweet.

The Iranian minister has also said that initial investigations indicate the settings of switching software have been attacked. A picture posted by Azari Jahromi shows the United States flag being in the background and a sentence that reads dont mess with our (US) elections. Azari Jahromi has stressed that the attacks are not limited to Iran noting in another tweet that so far, more than 95 percent of switches have resumed their service.

Cisco has issued a warning and urged Smart Install client users to patch and securely configure the software.

Attackers are exploiting a protocol misuse issue in Ciscos Smart Install Client to gain entry to critical infrastructure providers, according to researchers at Ciscos Talos Intelligence group.

Ciscos warning over the Smart Install client, a tool for rapidly deploying new switches, comes a week after it released a patch for a critical remote code execution flaw affecting the software.

On March 29, Cisco had warned that at least 8.5 million switches are open to attack.

Researchers have found that millions of Cisco network devices have been left vulnerable by an open TCP 4786 port.

Cisco has also seen a huge uptick in traffic to the TCP 4786 port that began around November 2017 and then spiked in April 2018.

According to Cisco, organizations can determine if a device is impacted by the Smart Install issues by running the command show vstack config, which will show if the Smart Install Client is active.

The easiest way to mitigate the issue is to run the command no vstack on the affected device. If this isnt possible, the best option is to restrict access through an access control list for the interface.

Cisco in February 2017 issued an alert after discovering a rise in the number of internet scans for systems where the Smart Install Client was not turned off or configured with the property security controls. Without the right security controls, hackers can send new commands to the switches running Ciscos IOS or IOS XE network operating system.


https://theiranproject.com/vdcjthe8yuqehaz.92fu.html
Your Name
Your Email Address