CISOs with Cisco routers in their infrastructure have been warned to be on the lookout for attacks after a security vendor found 14 successful breaches in three of the network equipment makers’ models in the Ukraine, Philippines, Mexico and India.
Implanted malware in routers from any enterprise vendor in the enterprise space have been largely believed to be theoretical, FireEye said in a blog Tuesday. However, after manufacturers recently issued advisories that these have been seen in the wild it has confirmed over two dozen have been found.
UPDATE: Ars Technica reports an unnamed group of computer scientists who probed the entire IPv4 address space for infected devices found two in Canada and 25 in the U.S.
The devices that were taken over were the Cisco 1841, 2811 and 3825 routers, but the attack apparently works on any router that uses Cisco’s IOS operating system.
Dubbed SYNful Knock, it’s described as a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network. It is customizable and modular, so can be updated once implanted. “Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication,” says the report.
Interestingly, it doesn’t appear to leverage a zero-day vulnerability, FireEye says. It is believed that the credentials are either default or discovered by the attacker in order to install the backdoor. However, the router’s position in the network makes it an ideal target for re-entry or further infection.
“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.”
Cisco [Nasdaq: CSCO], which says it has worked with FireEye on this, quickly released a statement that so far the attacks discovered didn’t leverage any product vulnerabilities. Instead, it says, the attack requires valid administrative credentials or physical access to the victim’s device. It also immediately published a Snort rule to help detect attacks and urged customers to do the following for protection:
- Step 1: Harden devices – use Cisco’s guidance to harden Cisco IOS devices
- Step 2: Instrument the network – follow recommendations Telemetry-Based Infrastructure Device Integrity Monitoring
- Step 3: Establish a baseline – ensure operational procedures include methods to establish a baseline
- Step 4: Analyze deviations from the baseline by leveraging technical capabilities and recommendations for Cisco IOS Software Integrity Assurance.
Briefly, the attackers have modified Cisco’s IOS image to create the backdoor and upload different modules. Each modules is enabled via the HTTP protocol — not HTTPS — using specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can be independent executable code or hooks within the routers’ IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.
FireEye says when loaded the implant maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after reboot. For infosec pros that means the modules can be analyzed by getting a core dump of the router image.