Global cyberattack targets 200,000 network switches (updated)

The attackers displayed a US flag, but it's not clear who's responsible.

The past few days haven't been great for the internet's broader security. Iran's Communication and Information Technology Ministry has reported that it was a victim in a global cyberattack that compromised about 200,000 Cisco switches that hadn't yet received patches for exploits in the company's legacy Smart Install protocol. The attackers displayed a US flag on at least some screens, complete with a "don't mess with our elections" warning, but the attack wasn't focused on Iran -- only 3,500 switches fell to the exploit in the country. About 55,000 of the victim devices were in the US, IT Minister Mohammad Javad Azari Jahromi said, while 14,000 were in China. Other victims were located in Europe and India.

Iran's report came shortly after Cisco's Talos research group warned that there had been "several incidents" around the world where "specific advanced actors" had targeted its switches using Smart Install. There had been a spike in scanning as of November 2017, and it only increased in intensity in March and April.

The damage, at least in Iran, might be minimal -- Iran said it tackled the flaw within hours, and that it hadn't lost data. However, the reach of the attack and its messaging are more than a little baffling. If this was a warning over election meddling, why not focus on Russia instead of countries that could frequently be victims of those attacks? This could be an indiscriminate protest, or even a deliberate attempt to throw investigators off the trail by foisting the blame on one country.

Whoever's responsible, the cyberattacks highlight a recurring problem: many of the breaches in recent months have been the result of lax security practices. These switches could have been fixed in time to prevent the attack, but a slow response left them wide open. It may take a long time before a lear majority of network operators treat patches and operating system upgrades as high priorities.

Update: In a response to Motherboard, the attackers claimed this was a protest against Russia and other countries meddling in American elections. Also, some of the targets were Russian. It's still odd that the US and other countries got caught in the crossfire (especially as the attackers claimed they fixed the flaws on US and UK devices), but the campaign makes more sense as a result.

https://www.engadget.com/amp/2018/04/07/global-cisco-switch-cyberattack/