In the evening of April 6, there were problems in the operation of several providers and sites due to a hacker attack on Cisco equipment. As reportedTelegram-channel «IT criminal cases SORM rossiyushka”, the equipment is installed in the majority of service providers and on it found a vulnerability that allows them to remotely control.
- the problems in the work were reported by providers in the Pskov region , Korolev and Zheleznogorsk ;
- eServer said that its hardware is not vulnerable;
- hosting RuWeb , provider Imaqlic, sites of ” Fontanka ” and 47news also confirmed the presence of failures in the work;
- Moscow theater “Sovremennik” reported problems due to “technical works” from the provider;
- subscribers of the Moscow operator “Skynet” complain , T as well as to RiNet, MGTS and Akado, but after the answering machine the call was dropped.
As told Embedi experts vulnerability works for unauthenticated RCE-attacks. According to their data, there are at least 8.5 million devices in the world that can be used by hackers. Cisco has already published a fix patch, but it is not installed on all devices. In the company itself, the problem was recognized as critical.
According to the author “IT criminal cases SORM Rossiyushka”, the bot scans the addresses of providers and devices around the world in search of vulnerabilities. If it detects a hole, it erases the configuration and leaves a “message” in the form of an American flag.
— 0xFF (@xnetua) April 6, 2018
To exploit the vulnerability, hackers need to access the open TCP port 4786 and cause a buffer overflow of one of the functions. Due to the fact that the data is not checked, the copied information from the network packet of hackers triggers the bug. Researchers from Embedi published a video on how the hole works.