Last night, a hacker group going under the name "JHT" attacked foreign network infrastructure, including Russian and Iranian networks, using the Cisco CVE-2018-0171 Smart Install vulnerability. Using this vulnerability the hackers were able to reset the routers back to their default configuration and display a message to the victims.

After vulnerable Cisco routers were attacked using the CVE-2018-0171, the router's configuration file called startup-config was overwritten and the router rebooted. Not only did this cause outages for the affected networks, but admins also discovered that the router's startup-config file was changed to a message stating "Don't mess with our elections.... -JHT" as shown below.

Attacked Router's Startup-Config

According to Reuters, Iran's Communication and Information Technology Ministry stated that over 200,000 routers worldwide were affected, with 3,500 of them being in Iran. In a tweet, Iran's ICT Minister Mohammad Javad Azari-Jahromi stated that by 4:12PM EST yesterday, 95% of the affected routers in Iran had been restored to normal service.

The attackers have told Motherboard that they scanned many countries for vulnerable systems, but only attacked Russian or Iranian routers. They also claimed to fix the vulnerability on any U.S. and UK routers that they discovered by issuing the no vstack command.

BleepingComputer has sent questions to the email listed in the message, but have not heard back at the time of this publication.

Update 4/9/18: 360Netlab has stated that they these were attacks were actually using the CVE-2018-0171 vulnerability, which also targets the Smart Install feature.. 


Related Articles:

Cisco Patches Its Operating Systems Against New IKE Crypto Attack

Symantec Discovers New and Inexperienced Iranian APT

Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

Cisco Removes Undocumented Root Password From Bandwidth Monitoring Software

Iranian APT Poses As Israeli Cyber-Security Firm That Exposed Its Operations