According to Homeland Security, the target of the attack was mainly state and private sector organizations. It affected devices of the network infrastructure: especially routers and switches. The head of the British Cyber Defense Agency Ciaran Martin is sure: “Millions of machines” are affected. Such infected devices could also be used for future cyber attacks. But how is it that such an attack infected millions of devices in one fell swoop?
Exploitation of security gaps
The attack has largely focused on some outdated and weak security network protocols. Including the outdated Telnet protocol. This still widespread client/server protocol exchanges character-oriented data over a TCP connection – unencrypted. For example, attackers can easily read passwords in plain text with such a connection.
Other affected devices use the SNMP (Simple Network Management Protocol) protocol. With this protocol, a central device has the ability to manage and control connected network components such as servers, printers, and routers. However, SNMP reveals a major security risk in an outdated version. With this version, there was only the possibility to register via so-called communities in the system. However, with this method, attackers who are on the same network can not only read system information but even modify it.
Cisco’s administrative protocol
Cisco’s unreliable Smart Install (SMI) management protocol also provided cyber-players with a gateway. SMI gives network administrators the ability to remotely configure supported Cisco devices and install new files. No authentication is necessary for this. As a result, attackers, as announced last November, could easily adapt around 200,000 network devices per SMI worldwide. So not only maliciously changed firmware can be uploaded, but also malware can be stored in a writable file structure provided for the devices for other platforms.
Effects of cyberattack
By exploiting these and other vulnerabilities now a variety of devices to have been infected. These devices could be used by attackers to manipulate firmware, operating systems, and configurations. The cyber players have the ability to control, reject and even modify traffic on an infected router. This can have devastating effects on an affected network. Catching credentials and manipulating messages are just two of many options. It could be circulated in the respective network dangerous configurations, which could also lead to the failure of the service. Thus, attackers of an infected network infrastructure essentially have the complete data in this network in their hands and can also control it.