To Customer Support To Customer Support

SYNful Knock - A Cisco router implant

  • 15 September 2015
  • 5 replies
  • 778 views
Dermot7
Rank
Userlevel 7
Badge +3
 
Overview
Vendor agnostic modified router images have been largely believed to be theoretical in nature and especially in use. However, recent vendor advisories indicate that these have been seen in the wild. Mandiant can confirm the existence of at least 14 such router implants spread across four different countries:  Ukraine, Philippines, Mexico, and India. 
 
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
 
 Cisco router break-ins bypass cyber defenses | Reuters  
 
 http://blogs.cisco.com/security/synful-knock

5 replies

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
September 15, 2015  By Pierluigi Paganini
 

Mandiant firm has spotted more than a dozen Cisco routers running malicious ROMMON firmware images that allow attackers to control targeted devices.

 
A few weeks ago, CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software.
 
Full Article
R
Rank
Userlevel 7

Diseased boxen lassoed in four countries as malicious actors find their way into systems

15 Sep 2015 at 16:54, John LeydenMore then a dozen compromised router infections have been found in the wild, all targeting Cisco kit as part of sophisticated attempts to hack into corporate and government networks.
Once considered only a theoretical risk, the finding of malware-infected routers by FireEye/Mandiant shows that the threat is all too real.
A backdoor-implanted router provides attackers with a foothold on targeted networks, allowing them to launch stepping-stone attacks on other hosts and back-end systems.
Attacks might be possible on any router technology, but all the real-world infections uncovered by FireEye/Mandiant involved devices made by Cisco. The Mandiant team found 14 instances of router implant, dubbed SYNful Knock, across four countries: Ukraine, the Philippines, Mexico, and India
 
full article
R
Rank
Userlevel 7

http://images.techhive.com/images/idgnsImport/2015/08/id-2966776-binary3-100605168-orig.jpg Big Data
Credit: IDGNS

The firmware on at least 14 business routers has been replaced with a backdoored version, researchers from Mandiant found.

 
By Lucian Constantin
 
Replacing router firmware with poisoned versions is no longer just a theoretical risk. Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on business routers in four countries.
The router implant, dubbed SYNful Knock, provides attackers with highly privileged backdoor access to the affected devices and persists even across reboots. This is different than the typical malware found on consumer routers, which gets wiped from memory when the device is restarted.
SYNful Knock is a modification of the IOS operating system that runs on professional routers and switches made by Cisco Systems. So far it was found by Mandiant researchers on Cisco 1841, 8211 and 3825 "integrated services routers," which are typically used by businesses in their branch offices or by providers of managed network services.
 
full article
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

SYNful Knock implant appears to be much bigger than first reported, researchers say.

by Dan Goodin (US) - Sep 16, 2015
 
                  http://cdn.arstechnica.net/wp-content/uploads/sites/3/2015/09/synful-knock-infections-640x354.png
 
The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that's hosting 25 boxes running the malicious backdoor.
 
That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor.
 
Full Article
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

'Nation state' resources? Naah, just assembler

 
                                                    


 
13 Oct 2015 at 02:57, Richard Chirgwin
 
It's been widely assumed the only reason SYNful Knock and similar attacks aren't widespread is the arcane nature of firmware hacking – and that's what Grid32's Luka Hall has decided needs wider discussion.
 
In this paper (PDF), Hall says the idea that a firmware-based attack “involves advanced knowledge or nation state level resource” is a “common misconception”.
 
While the 32-page paper isn't quite messing about with trivia, Hall reckons the work involved needs far, far less than such sophistication: “a week‘s worth of studying PowerPC assembly, a week‘s worth of studying disassembly, and about a week‘s worth of writing code and debugging time” is sufficient, he claims, for anyone with the basics of assembly language under their belt to create a firmware-based rootkit.
 
Full Article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.