Security Advisor

Attackers Targeting Cisco Routers with Modified Firmware

The attack replaces the hardware's IOS, allowing for traffic to be secretly monitored and the further injection of malware.

Researchers at FireEye have discovered that attackers are infecting Cisco routers with a modified firmware that allows for spying of Internet and network activity.

The malware, called SYNful Knock, hides itself in the router and, due to it modifying the firmware, can go undetected by standard antivirus and antimalware software, said the security firm.

"It is customizable and modular in nature and thus can be updated once implanted," said researchers at FireEye in a post detailing the active attack. "Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication."

FireEye said that this incident is unique due to the idea of router firmware implant attacks were largely believed to be only theoretical up to this point. However, the company said that it has found infected routers in Mexico, Ukraine, India and the Philippines.  

How SYNful Knock works is that once an attacker loads the modified Cisco IOS image into the router, they can load and execute functional modules remotely, while gaining total access through the use of a backdoor password. Once in, attackers can monitor both outgoing and incoming traffic, as well as load additional malicious modules. Because the infection is done on the firmware level, resetting or powering down the router will not remove the threat, and the only solution is to reimage the hardware with the original IOS.  

"The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems," said FireEye. "This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead."

It's important to note that the initial implantation would need the attacker to either have physical access to the hardware or know the router password. The company acknowledged that the most likely scenario for infection is attackers gaining access through unchanged, factory default passwords.

So far FireEye said that it has found that Cisco Router models 1841, 2811 and 3825 are the only ones vulnerable.

Cisco has confirmed that the FireEye report on SYNful Knock is correct, and that the attacks do not take advantage of any vulnerabilities in the hardware's software. It also advises that those with the router models in question take steps to strengthen security. "Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such," wrote Omar Santos, incident manager for Cisco, in a blog post.  "We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures."

With FireEye saying this "stealthy router implant" is the first of its kind to enter the wild, the security firm expects to see its usage and similar attacks to spread quickly. "It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence," said FireEye.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.