At the late evening of Friday, April 6, Iranian data centers experienced a Global cyber attack which caused a small number of switches and routers to get back to their factory default settings.
There were problems in the operation of several providers and websites due to a hacker attack on Cisco router equipment.
Not long after the attack, the Iranian ICT minister, Mohammad-Javad Azari Jahromi, confirmed this attack and the factory default settings shifting by posting a tweet on his Twitter account. He mentioned that the MAHER center is helping the data center to shift their networks back to normal.
Founded in 2008, MAHER center is the first Iranian CERT (Computer Emergency Response Team) and their purpose is to respond to the cybercrime events and information exchange issues.
He explained the reason as “The United States flag was posted on the pages by the attackers and linked the attack with the protests over the US elections.” He added that “So far, more than 95% of the routers have returned to the normal state and resumed service.”
Not just in Iran, but in multiple countries, the attackers exploited a software flaw in some Cisco switches which has been a point of concern for more than a year.
Cisco has said that the bug was found in its Smart Install Client, a tool used for deploying new switches. They recommend turning off the old network systems by companies for more safety:
“In order to secure and monitor perimeter devices, network administrators need to be especially vigilant. It can be easy to ‘set and forget’ these devices, as they are typically highly stable and rarely changed,” the report said. “Combine this with the advantages that an attacker has when controlling a network device, and routers and switches become very tempting targets.”
On March 29, ZDNet warned about the bug in Cisco Networks and said ‘At least 8.5 million switches open to attack, so patch now’.