Exploiting a Cisco software vulnerability, publicized and patched by the Silicon Valley-based firm on March 28, Internet service providers and data centers have come under attack around the globe. Some 3,500 devices were targeted in Iran.
The attack on Iran’s network infrastructure was launched on 20:15 local time on April 6 and was foiled by Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) in two hours.
According to an ICT Ministry statement, hackers targeted ISPs and databases resulting in disrupted communications leaving subscribers disconnected in some areas.
A vulnerability in routers from Cisco was exploited which had earlier issued a warning and provided a patch that some firms had failed to install over Norouz, the Iranian New Year holiday (March 21 to April 2).
Hackers left the image of a US flag on screens along with a warning, "Don't mess with our elections."
ICT Minister Mohammad Javad Azari-Jahromi took to Twitter hours after the attack was launched and detailed efforts by CERTCC and local firms to mitigate it.
Azari-Jahromi kept updating his Twitter status on the procedure and later on April 7 appeared on state TV to explain what happened and outline the ministry's upcoming measures to prevent such incidents.
Azari-Jahromi said, "Some 195,000 Cisco routers and network switches came under attack around the globe. The US bore the brunt of the cyber attack with 55,385 devices affected in the country followed by China with 14,335, Russia 13,839 and Japan 9,972. Iran was not even among the top 10 impacted countries. Only 2% of the cases occurred in Iran."
However, the minister noted that the Iranian network service provider and ISP Respina was one of the most affected companies by the attack. According to him, 1,458 devices owned by Respina were affected.
Tehran was the most impacted city in Iran, followed by Isfahan and Semnan.
Attack's Origin
On the attack’s source, the ministry speculates that it did not originate from the Middle East with Azari-Jahromi adding that it is not yet clear who had carried it out.
Azari-Jahromi also said this has been a denial-of-service attack and no data was lost. A DoS attack is a cyber attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Services of major Iranian ISPs, namely Afranet, AsiaTech, Shatel, ParsOnline, Respina, were disrupted. Soon after the attack the ISPs were back online.
Furthermore, the database hosting Iran CERTCC also came under attack and the center's website was downed. However, Iran's National Information Network, the Telecommunication Infrastructure Company of Iran, mobile operators and most ISPs were not affected and continued offering services.
"Hundreds of thousands of routers and network switches are used in Iran. Only 3,500 of the devices were affected," Azari-Jahromi noted.
He reproached CERTCC and said the center should have put firms on high alert. According to him since the initial notice was issued during Norouz holidays while employees were off duty, several private firms did not take it seriously enough. He says, "The center should have issued a high alert warning."
Following the attack, a special session was held at the ministry during which it was decided to overhaul the mechanisms for issuing such notices.
Azari-Jahromi stressed that Iran's cybersecurity response mechanisms need to become more agile and noted that there is much room for improvement. According to him, ties between CERTCC and private firms are to be strengthened.
The minister, admitting the shortcomings, said, "Iran's cybersecurity protocols must be updated." Furthermore, he called on local firms and entities to pay more attention to security patches issued by international companies.
Echoing Azari-Jahromi's comments, the chief of Iran Cyber Police's Detection and Prevention Center called on private firms to heed such warnings more seriously and keep their networks up-to-date.
Ali Niknafs said, "Routers and switches are bottlenecks of the network. When their work is disrupted the network as a whole is impacted."
Cisco Flaw
Attackers were and are still exploiting a "protocol misuse" issue in Cisco's Smart Install Client to gain entry into critical infrastructure providers, according to researchers at Cisco's Talos Intelligence group.
Cisco's warning over the Smart Install Client, a tool for rapidly deploying new switches, comes a week after it released a patch for a critical remote code execution flaw affecting the software.
Hackers can send Smart Install protocol messages to Smart Install clients to allow them to change the startup-config file, trigger a reload and then load a new image of Cisco's IOS networking software on to devices. The attacker can then provide command-line instructions on switches running IOS and IOS XE.
Embedi, the security firm that uncovered the flaw, initially believed it could only be exploited within an enterprise's network. But later, it found millions of affected devices exposed on the Internet.
"Because in a securely configured network, Smart Install technology participants should not be accessible through the Internet. But scanning the Internet has shown that this is not true," wrote Embedi.
"During a short scan of the Internet, we detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open."
Cisco is an American multinational firm which develops, manufactures and sells networking hardware, telecommunications equipment and other high-tech services and products.
