New malware discovered internationally on 14 Cisco routers

News by Max Metzger

SYNful Knock, a new kind of malware has been found on Cisco routers around the globe. Cyber-security experts say this represents a threat previously thought only theoretical.

Researchers at FireEye have discovered multiple routers across the globe that have been infected with a powerful form of malware.

The 14 routers in India, Mexico, The Philippines and Ukraine were discovered to have been implanted with malware that allows attackers to maintain access to targeted networks.The implant, called SYNful Knock, disguised itself as a Cisco IOS image that would then allow attackers an open door, into the Cisco router. 

This particular implant allows attackers unrestricted access with which they can then load various modules. In a recent report on these implants, researchers noted that, "The implant uses techniques that make it very difficult to detect. A clandestine modification of the router's firmware image can be utilised to maintain perpetual presence to an environment." Even after the infected router undergoes a system reboot, the implant persists within the router although modules that may have been loaded would be wiped. 

The most effective mitigation is to reimage the router with a clean download from Cisco itself, according to FireEye.Tony Lee, technical director of security consulting services at Mandiant, the team that found the implants says that “we do not believe that Cisco would have the power to remotely remediate the issue. Thus the onus falls upon the victim to remediate.”

The central problem with SYNful Knock, says a recent report by FireEye Mandiant team that discovered the SYNful Knock implant in the Cisco routers, was the belief that “we have dug the foundation to these large stone walls deep enough so we don't need to worry about what happens below ground. Any attack below the ground surface was deemed mostly theoretical in nature.” 

The report says,“We hope to reinforce the need for governments and organisations to understand that the barbarians may have already dug under the gates and they are already inside the castle.” Tony Lee, talking to added that this kind of attack “was largely thought to be theoretical in nature. Now we have a real live example.”

Cisco has been aware of these kind of attacks, if not of these specific implants. A month ago it published a warning of 'in the wild' attacks that could allows attackers to gain indefinite access to Cisco IOS devices. This “stealthy beachhead”, as the researchers called it, has targeted three kinds of Cisco routers, but others may be affected too. 

Tony Lee and Bill Hau, both members of the FireEye Mandiant team that discovered the SYNful Knock implant in the Cisco routers, said in a recent blog post that they believe, “SYNful Knock is just the tip of the iceberg when it comes to attack utilising modified router images. As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.”

Tony Lee offered some insight as to what the Cisco implants might mean. “The home user is probably not running enterprise networking gear, thus will be unaffected by this variant. However, there have been similar attack vectors targeted at the home user space, for example Psybot.” 

He did say, however, that “companies on the other hand will need to look for this threat using the recommendations outlined in our white paper”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews