Connect with us

Hi, what are you looking for?


Network Security

Implanted Cisco Routers Targeting Global Networks

Researchers at FireEye-owned security firm Mandiant have spotted more than a dozen Cisco routers on which attackers planted malicious firmware that allows them to maintain persistence in the targeted organization’s network.

Researchers at FireEye-owned security firm Mandiant have spotted more than a dozen Cisco routers on which attackers planted malicious firmware that allows them to maintain persistence in the targeted organization’s network.

IOS, the operating system that runs on most Cisco routers and switches, uses a bootstrap program called ROM Monitor (ROMMON) to initialize the hardware and boot the software. Cisco issued an alert one month ago to warn customers that attackers had been using a legitimate ROMMON field upgrade process to install a malicious image on devices.

Mandiant says it has spotted such “implants,” which the company has dubbed “SYNful Knock,” on 14 Cisco routers located in Ukraine, Philippines, India and Mexico.

The attacks don’t involve the exploitation of a vulnerability. Instead, malicious actors can modify the firmware either by using stolen credentials, or by having physical access to the targeted router. Mandiant believes the attackers have either managed to get their hands on admin credentials, or the compromised devices had been using default credentials.

SYNful Knock

Mandiant says Cisco 1841, 2811, 3825 and likely other router models are affected. It’s worth noting that Cisco 1841, 2811 and 3825 integrated services routers are no longer being sold.

Once they modify the firmware on the targeted router, attackers have unrestricted backdoor access to the device via the console and Telnet using a special password.

The malware allows attackers to load various functional modules on the Cisco router using specially crafted TCP packets sent to the device’s interface.

“The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password,” researchers explained in a blog post.

Advertisement. Scroll to continue reading.

Experts have pointed out that while the implant is persistent, the 100 additional modules that can be loaded by the attackers reside in volatile memory and they are removed after a reboot or reload of the device.

Router implants such as SYNful Knock can pose a serious threat to organizations. Routers can be located both on the boundaries and in the core of a network, which gives attackers an easy entry point, allows them to maintain persistence, and enables them to gain access to other hosts, including ones that might store valuable information.

On the other hand, detecting and mitigating threats like SYNful Knock is not always an easy task and, according to FireEye, organizations often overlook routers and focus their efforts on protecting endpoints, mobile devices and servers.

“Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures,” Cisco said in a blog post summarizing the steps that need to be taken to detect and mitigate such attacks.

The process outlined by Cisco has four main steps: hardening devices, instrumenting the network via telemetry-based infrastructure device integrity monitoring, establishing a baseline, and analyzing deviations from that baseline.

“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor),” FireEye said. “As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet