What now?Ĭisco has released security updates that fix the issue last week, but obviously many administrators did not get to implementing them before the attacks happened. But a more recent Shodan search shows that the number of exposed devices has only slightly decreased. The attackers left a contact email address in the message and Motherboard managed to get in touch with them.Īpparently, the idea was to retaliate for “attacks from government-backed hackers on the United States and other countries.”Īlso, they claim to have fixed the vulnerability on exposed devices in the US and UK by running the command no vstack on the affected device, in an attempt to stave off future attacks. “Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” said Iran’s IT Minister Mohammad Javad Azari-Jahromi. The Iranian Communication and Information Technology Ministry confirmed that some 3,500 switches in the country have been affected by the attack, but also that 200,000 router switches across the world have been hit. “That results in some data centers being unavailable, and that, in turn, results in some popular sites being down.” Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the config – and thus takes another segment of the Internet down,” they noted. “It seems that there’s a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco’s own utility that is designed to search for vulnerable switches). The tools has other capabilities such as installing new configuration file to the remote device, and also multiple remote devices, update the cisco IOS running on the remote device and execute code on the remote device.Ī simple shodan search for port 4786 shows that there are over 70K Devices which have the smart install services exposed to the internet.The proof-of-concept exploit code for a vulnerability affecting many Cisco switches has been leveraged by vigilante hackers to mess with networks and data-centers in Russia and Iran.Īccording to Kaspersky Lab researchers, after exploiting the flaw the attackers are able to run code that allows them to rewrite the Cisco IOS image on the switches and change the configuration file, leaving a message that reads “Do not mess with our elections.” This eventually gave me access to the core routers and other Cisco Network Infra devices since the user accounts credentials were the same across the devices. Other accounts used weak cisco type 7 encryption algorithms which can be cracked within seconds using online tools like: Looked around for a way to exploit this & stumbled upon the Smart Install Exploitation Tool (SEIT) at With this tool, I was able to download the config files of their Core Switch which showed passwords in clear text for some of the user accounts configured. Verified the existence of this vulnerability with NMAP and Metasploit: nmap -p 4786 -v use auxiliary/scanner/misc/cisco_smart_install Until I came across some of their Cisco Switches running a vulnerable version of Smart Install as reported by Nessus at I was on a recent internal assessment engagement and boy oh boy, this clients’ environments looked pretty solid. Pwning Cisco Devices Using Smart Install Exploitation Tool (siet.py)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |