SYNful Knock - A Cisco router implant
Overview
Vendor agnostic modified router images have been largely believed to be theoretical in nature and especially in use. However, recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
Cisco router break-ins bypass cyber defenses | Reuters
http://blogs.cisco.com/security/synful-knock
September 15, 2015 By Pierluigi Paganini
A few weeks ago, CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software.
Full Article
Mandiant firm has spotted more than a dozen Cisco routers running malicious ROMMON firmware images that allow attackers to control targeted devices.
A few weeks ago, CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software.
Full Article
Userlevel 7
Diseased boxen lassoed in four countries as malicious actors find their way into systems
15 Sep 2015 at 16:54, John LeydenMore then a dozen compromised router infections have been found in the wild, all targeting Cisco kit as part of sophisticated attempts to hack into corporate and government networks.Once considered only a theoretical risk, the finding of malware-infected routers by FireEye/Mandiant shows that the threat is all too real.
A backdoor-implanted router provides attackers with a foothold on targeted networks, allowing them to launch stepping-stone attacks on other hosts and back-end systems.
Attacks might be possible on any router technology, but all the real-world infections uncovered by FireEye/Mandiant involved devices made by Cisco. The Mandiant team found 14 instances of router implant, dubbed SYNful Knock, across four countries: Ukraine, the Philippines, Mexico, and India
full article
Userlevel 7
http://images.techhive.com/images/idgnsImport/2015/08/id-2966776-binary3-100605168-orig.jpg Big Data
Credit: IDGNS
The firmware on at least 14 business routers has been replaced with a backdoored version, researchers from Mandiant found.
By Lucian Constantin
Replacing router firmware with poisoned versions is no longer just a theoretical risk. Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on business routers in four countries.
The router implant, dubbed SYNful Knock, provides attackers with highly privileged backdoor access to the affected devices and persists even across reboots. This is different than the typical malware found on consumer routers, which gets wiped from memory when the device is restarted.
SYNful Knock is a modification of the IOS operating system that runs on professional routers and switches made by Cisco Systems. So far it was found by Mandiant researchers on Cisco 1841, 8211 and 3825 "integrated services routers," which are typically used by businesses in their branch offices or by providers of managed network services.
full article
SYNful Knock implant appears to be much bigger than first reported, researchers say.
by Dan Goodin (US) - Sep 16, 2015http://cdn.arstechnica.net/wp-content/uploads/sites/3/2015/09/synful-knock-infections-640x354.png
The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that's hosting 25 boxes running the malicious backdoor.
That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor.
Full Article
'Nation state' resources? Naah, just assembler
13 Oct 2015 at 02:57, Richard Chirgwin
It's been widely assumed the only reason SYNful Knock and similar attacks aren't widespread is the arcane nature of firmware hacking – and that's what Grid32's Luka Hall has decided needs wider discussion.
In this paper (PDF), Hall says the idea that a firmware-based attack “involves advanced knowledge or nation state level resource” is a “common misconception”.
While the 32-page paper isn't quite messing about with trivia, Hall reckons the work involved needs far, far less than such sophistication: “a week‘s worth of studying PowerPC assembly, a week‘s worth of studying disassembly, and about a week‘s worth of writing code and debugging time” is sufficient, he claims, for anyone with the basics of assembly language under their belt to create a firmware-based rootkit.
Full Article
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.