A new hacking group, dubbed ‘JHT‘, has reportedly taken control of numerous Cisco devices belonging to organizations in Russia and Iran, posting a defiant message that reads—”Do not mess with our elections” accompanied by an ASCII art rendition of the American flag. This breach raises significant security concerns, particularly as it highlights vulnerabilities in widely used network infrastructure.
According to Iranian Communication and Information Technology Minister MJ Azari Jahromi, the cyber onslaught affected around 3,500 network switches across Iran, most of which have since been restored. The JHT group is believed to be exploiting flaws in the Cisco Smart Install Client, an outdated plug-and-play tool that enables remote configuration and deployment of Cisco devices. This utility is enabled by default on Cisco IOS and IOS XE switches, operating over TCP port 4786.
Research suggests that this attack may be tied to a recently identified remote code execution vulnerability (CVE-2018-0171) associated with the Cisco Smart Install Client. If exploited, this vulnerability could grant attackers complete control over the targeted network equipment. However, Cisco posits that the attackers may be primarily manipulating the Smart Install protocol to overwrite device configurations, rather than exploiting a specific security flaw.
Cisco elaborates that the Smart Install protocol can be misused to alter TFTP server settings, extract configuration files, modify configurations, replace the IOS image, and establish unauthorized accounts, thus facilitating the execution of IOS commands. Compounding these issues is the lack of authentication in the Smart Install protocol, a vulnerability highlighted last year.
Recent analyses by Qihoo 360’s Netlab indicate that the JHT group’s activity is not directly linked to the disclosed code execution vulnerability but is instead due to the absence of proper authentication mechanisms within the Smart Install protocol. Data from the Internet scanning engine Shodan reveals that more than 165,000 systems remain exposed on the Internet, running the Cisco Smart Install Client over TCP port 4786, leaving them vulnerable to similar attacks.
Given that Smart Install Client is designed for remote management of Cisco switches, it is imperative that system administrators enable this feature judiciously, employing Interface Access Control Lists (ACLs) to restrict accessibility. For those who do not utilize the Cisco Smart Install feature, the recommendation is to disable it using the configuration command “no vstack.”
While recent breaches are not directly connected to CVE-2018-0171, it is still advisable for system administrators to apply patches addressing this vulnerability. With proof-of-concept details readily available online, the risk of exploitation remains significant. As such, organizations must adopt proactive cybersecurity measures to protect their network infrastructures against evolving threats.
The tactics employed in this breach can be aligned with the MITRE ATT&CK framework, particularly regarding initial access through exploitation of known vulnerabilities and persistence through unauthorized modifications to network configurations. This incident underscores the critical need for stringent security protocols surrounding device management within network infrastructures.