Attackers are exploiting a vulnerability in Cisco switches deployed in data centres across the world to leave politically-motivated messages, according to researchers.
Although the scale of the attack has yet to be determined, Talos, Cisco's cybersecurity arm, has identified more than 168,000 IoT devices with the vulnerability, with analysis by Kaspersky Lab suggesting the attack is mostly targeting the Russian-speaking portion of the internet, impacting entire internet providers and data centres.
A bot is searching for vulnerable Cisco switches via the Internet of Things (IoT) search engine Shodan, according to Kaspersky, and once it finds a vulnerability, can exploit the Cisco Smart Install Client software.
The flaw allows attackers to run arbitrary code on the vulnerable switches, before they are able to rewrite the Cisco IOS image and change the configuration file. Devices then boot up with the message "don't mess with our elections" and an image of the United States flag, before the switch becomes unavailable.
Image credit: Kaspersky
Cisco Talos threat researcher Nick Biasini warned that network administrators need to be especially vigilant, suggesting the simplest way to mitigate these issues is to run the command novstack on the affected device.
He said: "It can be easy to 'set and forget' these devices, as they are typically highly stable and rarely changed. Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets."
Cisco has strongly recommended all customers review their architecture, and use tools provided by Talos to scan their network and remove Cisco Smart Install Client from all devices in instances where it's not being used.
While Talos believes attackers are "associated with nation-state actors", screenshots posted on Twitter by one affected user indicates a group named 'JHT' has claimed responsibility.
Reuters, meanwhile, reported a statement from the Iranian Communication and Information Technology Ministry that says the attack has affected 3,500 switches in Iran.
The Smart Client vulnerability dates back to February of last year, where Cisco first became aware of a significant increase in scans attempting to detect devices where the Smart Install feature remained enabled and without proper security controls, after setup was completed.
Smart Install was initially designed to make life easier for system administrators by allowing remote configuration and OS image management on Cisco switches. By design, these do not require authentication.
Kaspersky Labs suggests it may be a problem of data centres that fail to limit access to the TCP 4786 port, which needs to be open for the Smart Install to work, or to disable Smart Install once it is no longer in use.
Picture credit: Bigstock
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Google shakes off tariff concerns to push on with $75 billion AI spending plans – but analysts warn rising infrastructure costs will send cloud prices sky highNews Google CEO Sundar Pichai has confirmed the company will still spend $75 billion on building out data centers despite economic concerns in the wake of US tariffs.
-
Cisco wants to capitalize on the ‘DeepSeek effect’News DeepSeek has had a seismic impact, and Cisco thinks it has strengths to help businesses transition to AI-native infrastructure
-
CoreWeave’s first two UK data centers are now operationalNews The company's European plans for this year also include new facilities in Norway, Sweden, and Spain
-
AWS eyes ‘flexible’ data center expansion with $11bn Georgia investmentNews The hyperscaler says the infrastructure will power cloud computing and AI growth
-
Future-proofing operationsWhitepaper The Foundational Role of IT Infrastructure and Connectivity Solutions in Achieving Business KPIs
-
Quantitative analysis of a prefabricated vs. traditional data centerWhitepaper Apples to apples cost analysis between data centre types
-
Battery technology for single phase UPS systems: VRLA vs. Li-ionWhitepaper An overview of li-ion batteries in comparison to VRLA batteries for singlephase UPS applications
-
Architecting enterprise networks for the next decadeWhitepaper A new paradigm in network architecture
