Attackers Targeting Cisco Routers with Modified Firmware
The attack replaces the hardware's IOS, allowing for traffic to be secretly monitored and the further injection of malware.
Researchers at FireEye have discovered that attackers are
infecting Cisco routers with a modified firmware that allows for spying of
Internet and network activity.
The malware, called SYNful Knock, hides itself in the
router and, due to it modifying the firmware, can go undetected by standard
antivirus and antimalware software, said the security firm.
"It is customizable and modular in nature and thus can be
updated once implanted," said researchers at FireEye in a post
detailing the active attack. "Even the presence of the backdoor can be
difficult to detect as it uses non-standard packets as a form of
FireEye said that this incident is unique due to the idea
of router firmware implant attacks were largely believed to be only theoretical
up to this point. However, the company said that it has found infected routers
in Mexico, Ukraine, India and the Philippines.
How SYNful Knock works is that once an attacker loads the
modified Cisco IOS image into the router, they can load and execute functional
modules remotely, while gaining total access through the use of a backdoor
password. Once in, attackers can monitor both outgoing and incoming traffic, as
well as load additional malicious modules. Because the infection is done on the
firmware level, resetting or powering down the router will not remove the
threat, and the only solution is to reimage the hardware with the original IOS.
"The impact of finding this implant on your network is severe and most likely
indicates the presence of other footholds or compromised systems," said FireEye.
"This backdoor provides ample capability for the attacker to propagate and
compromise other hosts and critical data using this as a very stealthy
It's important to note that the initial implantation would
need the attacker to either have physical access to the hardware or know the
router password. The company acknowledged that the most likely scenario for
infection is attackers gaining access through unchanged, factory default
So far FireEye said that it has found that Cisco Router
models 1841, 2811 and 3825 are the only ones vulnerable.
Cisco has confirmed that the FireEye report on SYNful Knock
is correct, and that the attacks do not take advantage of any vulnerabilities in
the hardware's software. It also advises that those with the router models in
question take steps to strengthen
security. "Given their role in a customer’s infrastructure, networking devices
are a valuable target for threat actors and should be protected as such," wrote
Omar Santos, incident manager for Cisco,
in a blog
post. "We recommend that customers of
all networking vendors include methods for preventing and detecting compromise
in their operational procedures."
With FireEye saying this "stealthy router implant" is the
first of its kind to enter the wild, the security firm expects to see its usage
and similar attacks to spread quickly. "It should be evident now that this
attack vector is very much a reality and will most likely grow in popularity and
prevalence," said FireEye.