FNA - Iran's cyber police confirmed the Friday night attack on the country's datacenters, but still stressed that no sensitive data has been leaked by the flaw in Cisco switches.
"There has been no unusual access and leak of data and the problems have been resolved," Chief of the Detection and Prevention Center in FATA (Iran's Cyber Police) Ali Niknafs said on Saturday.
He added that any Iranian company or organization that faces some type of disorder and anomaly in its network after starting work on Saturday morning should take immediate action to remove the problems.
A flaw in Cisco switches allowed hackers to target critical infrastructure in many countries with cyberattacks, including Iran.
Reports said last night that important Iranian services and websites went out of reach due to a problem in the datacenters of major internet service providers Afranet, Shatel, Sabanet, etc.
According to a security report from the Cisco Talos team as many as 168,000 systems in the world might have been affected by the flaw.
A blog post by Cisco’s Talos security unit said the cyber-attacks are exploiting what Cisco officials are calling a “protocol misuse” situation in Cisco’s Smart Install Client, which is designed to enable the no-touch installation and deployment of new Cisco hardware, in particular Cisco switches.
Attackers have targeted a protocol issue with the Cisco Smart Install Client. If a user does not configure or turn off the Cisco Smart Install, it will hang out in the background waiting for commands on what to do.
Some reports indicate that some issues in the datacenters have created problems in using some of the popular sites, apps and messengers in Iran as well many other countries. This has been caused by a disruption or potential attack on the communications infrastructure network in the past few hours.
Iran’s Communication and Information Technology Minister Mohammad Javad Azari Jahromi confirmed the attack on the country’s datacenters in a tweet on Friday night.
The Iranian minister also said that initial investigations indicate the settings of switching software had been attacked.
A picture posted by Azari Jahromi shows the United States’ flag being in the background and a sentence that reads “don’t mess with our (US) elections”.
Azari Jahromi stressed that the attacks are not limited to Iran, noting in another tweet that so far, more than 95 percent of switches have resumed their service.
Cisco has issued a warning and urged Smart Install client users to patch and securely configure the software.
Attackers are exploiting a “protocol misuse” issue in Cisco’s Smart Install Client to gain entry to critical infrastructure providers, according to researchers at Cisco’s Talos Intelligence group.
Cisco’s warning over the Smart Install client, a tool for rapidly deploying new switches, comes a week after it released a patch for a critical remote code execution flaw affecting the software.
On March 29, Cisco had warned that at least 8.5 million switches are open to attack.
Researchers have found that millions of Cisco network devices have been left vulnerable by an open TCP 4786 port.
Cisco has also seen a huge uptick in traffic to the TCP 4786 port that began around November 2017 and then spiked in April 2018.
According to Cisco, organizations can determine if a device is impacted by the Smart Install issues by running the command “show vstack config,” which will show if the Smart Install Client is active.
The easiest way to mitigate the issue is to run the command “no vstack” on the affected device. If this isn’t possible, the best option is to restrict access through an access control list for the interface.
Cisco in February 2017 issued an alert after discovering a rise in the number of internet scans for systems where the Smart Install Client was not turned off or configured with the property security controls. Without the right security controls, hackers can send new commands to the switches running Cisco’s IOS or IOS XE network operating system.