Researchers at Mandiant are warning of a new advanced threat to Cisco routers which could allow targeted attackers to maintain persistence for a long period of time – monitoring all of the data flowing in and out of a victim organization.
The FireEye business explained that SYNful Knock is a “stealthy modification” of the router firmware which could lay hidden for months or years.
It is modular in nature so it can be updated and customized once implanted, and is incredibly difficult to spot.
The report continued:
“Finding backdoors within your network can be challenging. Finding a router implant? Even more so … The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.”
The initial infection vector doesn’t seem to be exploitation of a zero-day vulnerability but would require the attackers to know the router password or take advantage of the fact they have been left on the factory default setting, Mandiant explained.
The malware, or ‘implant’, itself consists of a modified Cisco IOS image which remains persistent even after a reboot, and allows attacker to load up different modules from the internet depending on the victim, providing unrestricted access using a secret backdoor password, the report claimed.
Mandiant has already found 14 instances of the implant in victims across four countries – Ukraine, Philippines, Mexico, and India.
It’s a new vector for advanced targeted attacks likely to become increasingly popular in the future – mainly because few organizations are monitoring for compromise on this part of their infrastructure.
“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor),” Mandiant wrote in a blog post.
“As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.”
The best way to mitigate the threat is to reimage the router with a known clean download from Cisco, then harden the device to prevent a future compromise, the report advised.
Cisco itself warned users last month that it discovered malicious ROM images in the wild. More info is provided here.