Lumen's Black Lotus Labs uncovers hacktivist attack

illustration of closed padlock on digital background representing cybersecurity
Black Lotus Labs found that more than 100 organizations' switches and routers had been attacked. (ranjith ravindran/Shutterstock)

Lumen Technologies’ Black Lotus Labs, the telco’s security threat intelligence unit, uncovered evidence that hacktivists recently attacked the switches and routers of at least 100 organizations, having gained access to those internet-connected devices due to misconfigurations of Cisco Systems’ Smart Install feature.

The Black Lotus Labs team said in a Lumen blog post that the attack occurred on and around May 13. The misconfiguration allowed attackers to access control features of those devices that are not usually exposed to the internet. The hacktivists rendered the switches and routers unusable, and replaced compromised files with “approximately six pages of an anti-government manifesto,” the blog post stated.

The attack method is not a new one, and has been cited numerous places, including Mitre’s CVE Details site , and the Black Lotus post noted that recommendations for the correct configuration were published four years ago. More concerning, the post stated, is the fact that more than 18,000 devices around the world are still exposed by the vulnerability, according to ShawowServer, a foundation which scans for such publicly accessible vulnerabilities. 

The ShadowServer heat map shows regions where vulnerabilities are still exposed.

Also, Black Lotus Labs said it identified more than 800 unique scanners looking for the misconfigured equipment. The group said it “null-routed the malicious IP address across the Lumen global network and added it to a block list for its security customers.”

RELATED: Cisco issues security advisory for memory exhaustion vulnerability on IOS XR

Mike Benjamin, Lumen vice president of product security and head of Black Lotus Labs, added in a statement, "Victims can recover from this attack by rebuilding their router configuration, and either disabling or limiting the ability to manage the device remotely. In the meantime, we will continue to look for attackers abusing this protocol."

Like other major telcos, Lumen, formerly called CenturyLink, has been upgrading its security and threat intelligence capabilities over the last few years. It named Jason Lish as Chief Security Officer this past April, after rebranding its cybersecurity efforts under the name Black Lotus Labs in 2019. The month before this most recent attack, the Black Lotus team found evidence of a “watering hole” attack.