Last night, a hacker group going under the name "JHT" attacked foreign network infrastructure, including Russian and Iranian networks, using the Cisco CVE-2018-0171 Smart Install vulnerability. Using this vulnerability the hackers were able to reset the routers back to their default configuration and display a message to the victims.

After vulnerable Cisco routers were attacked using the CVE-2018-0171, the router's configuration file called startup-config was overwritten and the router rebooted. Not only did this cause outages for the affected networks, but admins also discovered that the router's startup-config file was changed to a message stating "Don't mess with our elections.... -JHT usafreedom_jht@tutanota.com" as shown below.

Attacked Router's Startup-Config
Source: https://twitter.com/xnetua/status/982316233411325952

According to Reuters, Iran's Communication and Information Technology Ministry stated that over 200,000 routers worldwide were affected, with 3,500 of them being in Iran. In a tweet, Iran's ICT Minister Mohammad Javad Azari-Jahromi stated that by 4:12PM EST yesterday, 95% of the affected routers in Iran had been restored to normal service.

The attackers have told Motherboard that they scanned many countries for vulnerable systems, but only attacked Russian or Iranian routers. They also claimed to fix the vulnerability on any U.S. and UK routers that they discovered by issuing the no vstack command.

BleepingComputer has sent questions to the email listed in the message, but have not heard back at the time of this publication.

Update 4/9/18: 360Netlab has stated that they these were attacks were actually using the CVE-2018-0171 vulnerability, which also targets the Smart Install feature.. 

 

Related Articles:

Get 96% off The Cisco Networking & Cloud Computing Certification Bundle Deal

Over 80 Cisco Products Affected by FragmentSmack DoS Bug

Get 92% off The Complete Cisco Network Certification Training Bundle

Cisco Releases 16 Security Alerts Rated Critical and High

Iranian Hackers Charged in March Are Still Actively Phishing Universities