The message \u201cDon\u2019t mess with our elections\u201d followed by a U.S. flag appeared on Iranian and Russian screens after a hacker group exploited Cisco Smart Install Client on vulnerable machines. The hackers claim to have targeted only the computer infrastructure in Iran and Russia during the attack on Friday night.Reuters reported that Iran\u2019s Communication and Information Technology Ministry said, \u201cThe attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country.\u201dResearchers from Cisco\u2019s Talos reportedly used Shodan to find over 168,000 systems potentially exposed via the Cisco Smart Install Client. The researchers don\u2019t call it a vulnerability, but a \u201cprotocol misuse issue.\u201d That is what it was called back in an \u201cinformational\u201d Cisco Security Advisory issued in 2017. Cisco\u2019s Security Advisory issued on Friday, however, lists it as a critical vulnerability.Dangers of the Cisco Smart Install Client flawThe flaw in Cisco Smart Install Client allows attackers to run arbitrary code on vulnerable switches. Kaspersky Lab said the attack hit data centers and internet providers across the globe; the attackers would \u201crewrite the Cisco IOS image on the switches and change the configuration file, leaving a message that reads \u2018Do not mess with our elections\u2019 there. The switch then becomes unavailable.\u201dKaspersky Lab added that the attack was \u201cmostly targeting the Russian-speaking segment of the Internet, yet other segments are clearly more or less affected as well.\u201dAccording to screenshots, a hacker group going by \u201cJHT\u201d claimed responsibility for the American flag and message left on Iranian and Russian screens.As for the why, a spokesperson for the group told Motherboard, \u201cWe were tired of attacks from government-backed hackers on the United States and other countries.\u201dIn a blog post from Thursday, Talos researchers linked to US-CERT alert issued in March about \u201cRussian government cyber activity targeting energy and other critical infrastructure sectors.\u201d Motherboard suggested that is what set the vigilante hackers off.They claimed a scan showed numerous countries with vulnerable systems, but they only attacked Russia and Iran: \u201cWe simply wanted to send a message.\u201dMohammad Javad Azari-Jahromi, the ICT Minister of Iran, is quoted by Reuters as saying, \u201cSome 55,000 devices were affected in the United States and 14,000 in China, and Iran\u2019s share of affected devices was 2 percent.\u201d He later tweeted that 95 percent of the attacked routers in Iran had been restored to normal service.How to mitigate the Cisco Smart Install flawKaspersky pointed out that Cisco\u2019s Smart Install does not require authentication by design and suggested mitigations for system admins.To check if Smart Install is working, you can run the \u201cshow vstack config\u201d command on your switch. If the switch responds positively, which means that Smart Install is enabled, it\u2019s better to disable it with the no vstack command.That won\u2019t work in all cases, as the no vstack command will only persist in some Cisco operating systems releases until the switch is rebooted. Then an upgrade or downgrade of the system version may be advised.Kaspersky also advised:If your business-processes do not allow to shut down Smart Install, or version of your Cisco OS do not support \u201cno vstack\u201d command (and it is quite possible \u2014 it was added with one of the patches), then you should limit connections to port 4786.