Last night, a hacker group going under the name "JHT" attacked foreign network infrastructure, including Russian and Iranian networks, using the Cisco CVE-2018-0171 Smart Install vulnerability. Using this vulnerability the hackers were able to reset the routers back to their default configuration and display a message to the victims.
After vulnerable Cisco routers were attacked using the CVE-2018-0171, the router's configuration file called startup-config was overwritten and the router rebooted. Not only did this cause outages for the affected networks, but admins also discovered that the router's startup-config file was changed to a message stating "Don't mess with our elections.... -JHT firstname.lastname@example.org" as shown below.
According to Reuters, Iran's Communication and Information Technology Ministry stated that over 200,000 routers worldwide were affected, with 3,500 of them being in Iran. In a tweet, Iran's ICT Minister Mohammad Javad Azari-Jahromi stated that by 4:12PM EST yesterday, 95% of the affected routers in Iran had been restored to normal service.
The attackers have told Motherboard that they scanned many countries for vulnerable systems, but only attacked Russian or Iranian routers. They also claimed to fix the vulnerability on any U.S. and UK routers that they discovered by issuing the no vstack command.
BleepingComputer has sent questions to the email listed in the message, but have not heard back at the time of this publication.
Update 4/9/18: 360Netlab has stated that they these were attacks were actually using the CVE-2018-0171 vulnerability, which also targets the Smart Install feature..
So we are back from Tombsweep festival and are able to take a close look at our honeypot on port 4786, what we saw indicates it actually has nothing to do with CVE-2018-0171, instead, it is using https://t.co/Smeqa3z1vu, which leads to CVE-2016-1349 pic.twitter.com/IgAa4rIwBy— 360 Netlab (@360Netlab) April 8, 2018