Security firm Mandiant, a subsidiary of FireEye, discovered that firmware on some Cisco enterprise routers had been replaced with malicious versions that could open backdoors and compromise other systems. The fake software was found on 14 router models in Mexico, Ukraine, India and the Philippines.
Replacing the firmware of a router with a contaminated version is no longer a theoretical risk at all. Researchers from the company Mandiant, specialized in computer security, detected a real attack that led to the installation of fake firmware on corporate routers in four countries. The implemented software, referred to as SYNful Knock, provides attackers with a back door, with high-privileged access, to break into affected equipment and stay there. The “backdoor” is indeed maintained, even after a restart of the router. This is a differentiator and worrying compared to the malware found on consumer routers that disappears from memory when the device is restarted.
SYNful Knock is presented as a modification of the IOS operating system (Internetwork Operating System) which runs on professional routers and switches from Cisco. To date, Mandiant researchers have found it on Model 1841, 8211 and 3825 Integrated Service Routers (ISRs) that enterprises typically place in branch offices or are used by managed network service providers.
Default or theft of administration certificates
A subsidiary of cybersecurity firm FireEye, Mandiant found the fake firmware on 14 routers in Mexico, Ukraine, India and the Philippines. The affected models are no longer sold by Cisco, but there is no guarantee that other models will not be targeted in the future or have not been. Cisco issued a security alert in August warning customers about new attacks on its routers.
In the cases studied by Mandiant, SYNful Knock was not exploited by taking advantage of a software flaw, but more likely because of a lack of administrative certificates or via stolen certificates. Changes made to the firmware did not alter its original size. The software that takes its place installs a backdoor with a password opening a privileged Telnet access and allowing to listen to the commands contained in TCP SYN packets (hence the noom SYNful Knock). The procedure can be used to tell fake firmware to inject malicious modules into the router’s memory. However, unlike the backdoor, these modules do not survive a device reboot.
Very dangerous compromises
Router compromises are very dangerous because they allow attackers to monitor and modify network traffic, direct users to fake sites, and launch other attacks against endpoints, servers, and computers located within isolated networks . Generally, routers do not receive the same degree of attention as other equipment, from a security point of view, since they are more the workstations of employees or the application servers that companies expect rather to be attacked. Routers are not protected by anti-malware utilities or firewalls.
“Finding that backdoors have been placed in your network can be very problematic and finding an implant in a router even more so,” Mandiant security experts point out in a post. “This backdoor provides attackers with enormous opportunities to propagate and compromise other hosts and critical data by using a particularly stealthy bridgehead.” In a white paper, Mandiant provides indicators that can be used to detect SYNful Knock implants, both locally on routers and at the network level. “It should be obvious by now that this attack vector is indeed a reality, and its prevalence and popularity will only increase,” experts warn. Following the information released by Mandiant, Cisco also communicated on the subject, providing additional explanations.