New scans have showed that nearly 200 Cisco routers have been infected with a new kind of malware, previously thought only theoretical.
Last week, security researchers at FireEye, found that 14 routers in India, Mexico, The Phillipines and Ukraine had been infected with SYNful Knock, a new kind of malware that disguised itself as a Cisco IOS image and essentially created an open door into the router from which attackers could retain indefinite access.
On Monday, researchers at the Shadowserver Foundation, a volunteer organisation which describes itself as devoted to “timely and relevant information to the security community at large” reported that they had run an internet scan as an ecosystem partner of Cisco systems in order to protect customers. Not only this, but that from the 14 infected routers that had been reported, the Shadow Foundation had discovered nearly 200 routers that had been infected with SYNful knock around the globe.
The large majority of infections, 65 of them, were found in the US. India trailed behind in second place with only 12, sharing a broadly similar amount with 32 other countries spanning the globe including Russia, Poland, China and many others.
In a recent blog post, The Shadowserver Foundation did not equivocate about the gravity of this situation: “It is important to stress the severity of this malicious activity.” The post added that, “Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and re-mediated as a top priority.”
When the malware was discovered last week, Tony Lee, technical director of security consulting services at Mandiant, the team that found the implants, spoke to SCmagazineUK.com and said that this kind of attack “was largely thought to be theoretical in nature. Now we have a real live example.”
Along with Bill Hau, another member of the Mandiant team, Lee elaborated on that statement in a report on the significance of SYNful Knock's discovery. They said that the malware bypasses the belief that cyber-security professionals, “have dug the foundation to these large stone walls deep enough so we don't need to worry about what happens below ground. Any attack below the ground surface was deemed mostly theoretical in nature.”
But that SYNful knock, makes it important to understand that “the barbarians may have already dug under the gates and they are already inside the castle.”
Yvonne Malmgren at Cisco Corporate Communications emailed SC to say: "this is not a security vulnerability," adding: "In order to install the malware (whether it's a Cisco router or from any other vendor), an attacker needs access to valid Privileged Credentials (stolen) or physical access to a device. While SYNful Knock is a specific example of malicious software, Cisco believes that is an example of an evolution of attacks against networking devices. Network devices (of many types and from many companies) are high-value targets for malicious actors. These physical devices themselves, and their credentials, should be protected accordingly."
Cisco has established an Event Response Page, which it says updates customers in real time so they can be protected against these threats.