Malicious firmware has been identified by researchers on Cisco routers. The malware implants allow attackers to maintain persistence in an organization’s network.
Attacks in which hackers replaced the legitimate firmware on routers with a malicious image were first spotted by Cisco in August. This week, FireEye’s Mandiant reported identifying a total of 14 Cisco routers across four countries implanted with what the security firm has dubbed “SYNful Knock.”
Other researchers have conducted an Internet scan using the ZMap tool and discovered 79 possibly infected devices spread out across 19 countries.
The implants themselves are not affected by device reboots, but the numerous functional modules they use are loaded into volatile memory and they are removed after the system is restarted.
Cisco has pointed out that these attacks don’t involve the exploitation of a vulnerability in the targeted routers. Instead, attackers appear to be leveraging stolen admin credentials and a legitimate feature to replace the firmware.
Industry professionals contacted by SecurityWeek have made some interesting remarks about the SYNful Knock attacks and provided recommendations for mitigating such threats.
And the feedback begins…
Yvonne Malmgren, Cisco Corporate Communications:
“While Mandiant saw this attack across specific Cisco models, the key focus of this research is more about an evolution in attack types and how important it is for all network administrators to ensure security best practices are implemented. Network devices, of many types and from many companies, are high-value targets for malicious actors. We recommend that customers of all networking vendors include methods in their operational procedures for preventing and detecting compromise.”
Andrew Conway, Research Analyst, Cloudmark:
“Writing router firmware requires a high level of technical skill and knowledge, SYNful Knock is not the product of some run-of-the-mill cybercriminal. My first thought was that this malware was probably a nation state actor, particularly when I saw that the Ukraine was one of the countries where it has been detected. However, the other countries on the list, Mexico, the Philippines, and India, are not so geopolitically sensitive. It may be that the attackers are opportunistically scanning the Internet for routers with default or week admin passwords and compromising whatever they can.
Such an attack is hard to monetize. While a router sees all the traffic entering a network, most sensitive sites such as banks, shops, and webmail providers use HTTPS to encrypt traffic so the compromised router would not be able to capture banking credentials or credit card numbers. However, a router could provide a stepping stone to other vulnerable machines within a network, or it could be used in a DDoS attack. We don’t know what other functionality is provided by SYNful Knock’s downloadable modules so we don’t know for certain what motivated this attack.
Installing SYNful Knock requires either admin credentials or physical access to the router. Any organization that uses strong passwords and has good physical security should be safe from everything except insider threats. However, insiders threats are a potential problem. Firmware updates from any device should only come from the manufacturer, and manufacturers can ensure this by requiring that all updates be cryptographically signed. This should be the standard not just for routers, but for any device on the Internet of Things.”
Ryan Smith, Vice President and Chief Scientist, Optiv:
“When researchers first started looking at Cisco devices, IOS and the processors it ran on were considered exotic. Very few people were finding vulnerabilities using static analysis, so most vulnerabilities were discovered by sending random data to the routers. Also, exploitation was considered difficult due to how iOS used memory. About 5 years ago, security researchers started improving skills related to embedded devices such as dealing with exotic processors and understanding low level details of Real Time Operating Systems.
The improvements in the auditing processes and documentation has afforded an environment where vendors who were protected by relative obscurity are substantially more exposed. This landscape shift is best illustrated contrasting Cisco’s IOS to Apple’s IOS. On a current model iDevice, the hardware verifies that the software running is approved by Apple using high grade cryptography. The iPhone’s security grew up during the security community’s uptick in exotic analysis. Since Cisco grew up in an era before, their devices don’t include the same security precautions even though the hardware is much more critical to Internet infrastructure. If they had, the protections that were implemented in the iPhone in 2009, the SYNful Knock implant would not have been able to work without successfully finding and attacking a flaw in Cisco IOS.
In regard to mitigation, the use of strong authentication would have prevented the installation of implants on these devices. There are a myriad of ways you can authenticate to these routers and each organization should choose the strongest scheme that their environment allows. As attacks against Cisco IOS grow in sophistication, it’s also important to ensure that the latest updates are applied. These updates mitigate vulnerabilities that would allow the installation of implants without authenticating to the routers.”
Tom Bain, Vice President of Security Strategy, CounterTack:
“It appears from the reports that SYNful Knock malware is sitting dormant and it’s harvesting credentials at initialization. It probably runs a second process as it preys on default settings in ROMMON. This is a classic case of targeted malware that is purpose-built, and a very good example of how malware plays a major role launching APT’s.
What’s interesting about the process that SYNful Knock follows, is that it appears designed to not leave a trace upon re-boot so that a would-be attacker could ride SYNful Knock to move laterally with full confidence in a smash-and-grab attack, exfiltrate data and get out without triggering any detection mechanism.
Organizations should start thinking about the integration of their network-based and endpoint detection tools, so that security teams aren’t tied to just one detection engine. Second, this shows that purpose-built, previously unseen malware is arguably the biggest and most persistent threat to most companies. Further, it’s critical that organizations continuously monitor both the packet layer and the device infrastructure as threats like this routinely jump from one to the other as attackers navigate to find the data they seek.”
Alex Cox, Senior Manager of RSA FirstWatch:
“We can look at the threat of an attack on a network device like this in a couple of ways.
1) “The Internet of Things” – From a computing standpoint, a router is unlike a desktop or server system in that it largely is not directly accessed often. It’s set and forget, with an occasional configuration change for network purposes. That said, a router is a small computer, and if compromised it could be used for anything a compromised computer could be, which might include as a proxy for other attacks, a foothold to allow lateral movement into the network for additional attacks or any other number of malicious uses.
2) “Network Sniffer” – A much more nefarious attack would be the “network sniffer” attack. Most routers allow port forwarding or port mirroring. This allows an IT administrator to monitor the traffic going across a router for troubleshooting or monitoring purposes, but if used maliciously could be used to monitor and gather any sort of information that crosses the network. This could impact an organization greatly, depending on the location of the router and what network traffic it sees. A scarier possibility would be an attack on an ISP or Internet Core device, where the network traffic of many organizations, consumers, government entities etc., could be monitored via the compromised router.
Even though only [a relatively small number of] infected routers were detected in this case, it’s still a very valid threat. From a detection standpoint, network infrastructure devices should be treated like any other connected device and should be included in a risk mitigation plan that would include pervasive visibility around devices that support or interact with critical systems (the crown jewels!). Mitigation of such a threat falls along the same lines as most others. Patch devices often, rotate administrator credentials, and monitor for malicious or suspicious behavior. “
Jason Lewis, Chief Collection and Intelligence Officer, LookingGlass:
“Attacking network infrastructure has been a threat vector for many years. Compromising the network infrastructure has the potential to be very impactful given that all network traffic passing through that infrastructure can be potentially inspected and analyzed. This tactic provides greater visibility to a broader range of devices than if a single endpoint or server was infected with malware. One of the less talked about aspects of security is that operating the network allows access to all data that traverses that network. The sexy solutions these days are all about endpoint protection. The reality is, if I control the network I can modify traffic going into and out of those endpoints. By controlling the routers and infrastructure of my target, I can mask my malicious activity and gain access to any systems I target, undetected.
A not so obvious attack vector would be to compromise the ISP of my target and covertly manipulate traffic to and from that network. The target may have high security, but they pass traffic to the ISP, who probably doesn’t have the same security concerns. This hasn’t made a lot of press yet, but it’s going to. As more compromised devices are discovered analysts will find patterns and relationships, it’s going to be a big story.”
Amit Serper, Senior Security Researcher, Cybereason:
“This attack is in fact very interesting. Up until this day we’ve seen attacks on routers and other embedded devices that were mostly small routers and end devices provided by ISPs such as home routers/cable modems, etc. These devices run some sort of embedded Linux on it that has a very poorly designed web interface which is usually the weakest link that allows the perpetrator to own the device. Cisco routers aren’t your usual “4-port switched ethernet + wifi home router”, it is a “heavy-duty” machine that a lot of organizations and ISPs use it as their network entry point. It is important to understand that those machines are ‘the door’ to the organizations, there is no firewall or any other device that protects the network.
In a case that a router is compromised, the attacker has the ability to control the traffic to and from the organizations and thus manipulate it. A lot of people may tend to look-down on such attacks and say ‘oh well, we use SSL for everything, we’re safe’. Attacks such as these must not be dismissed lightly. If an attacker has the ability to run code on your router, he might also have the ability to redirect you to his own SSL termination server and decrypt your traffic and re-encrypting it without you even noticing it. The fact that not many devices were found with those implants doesn’t make it less serious. “SYNful knock” is a very elaborate attack that requires reverse engineering and exploiting of Cisco’s proprietary IOS. If this attack is part of a bigger operation, it could be used to turn certain routers into pivot points into a sensitive network, one which might be segmented or even “air gapped” from the world.”
Stephen Cobb, senior security researcher, ESET North America:
“Malicious firmware implanted on routers is definitely a threat to take seriously, and I would advise CISOs to take a look at the indicators of compromise published by Fireeye. At the very least this is an urgent reminder to make sure none of your organization’s routers are configured with default credentials.
The fact that only a small number of infected devices were detected does not mean that those are the only victims. More importantly perhaps, the discovery highlights the growing attention that cybercriminals are paying to routers and other parts of the network infrastructure, beyond endpoints and internal servers.
A few years ago we saw criminals starting to use backdoored binaries on Linux webservers, as in the huge Windigo campaign. We are seeing campaigns today using home routers for traffic redirection, DDoS, and spam. Compromising enterprise routers is a logical progression, given their trust position in the network infrastructure their potential for using in a wide range of data crimes.
That this report of an advanced attack on routers was published the same day that the FBI issued an alert about the cybercrime implications of Internet of Things, in which routers play a critical role, is probably a coincidence. However, it was frankly a little spooky to see law enforcement issuing recommendations for router security at the same time that router insecurity was being highlighted.”
Adam Englander, Director of Engineering, LaunchKey:
“Modernizing the access security of networking devices is a serious issue facing data center operators. The lack of multi-factor authentication mechanisms in network devices is a great cause of concern for those charged with keeping the data and systems inside of the data center secure. Stolen and/or cracked passwords are easy prey for hackers attempting to breach the router/firewall of any data center. Once inside the device, the attackers may spread their attack to other devices inside the datacenter using the same credentials and capture the data flowing through them.
Prime examples of well-known network device hacks are the OPM and Ashley Madison data breaches. Most specifically, the Ashley Madison breach was reportedly performed by using a password crack with an easily guessed password of Pass1234. The Ashley Madison breach should alert the rest of the world that multi-factor authentication is needed to protect routers and firewalls from attackers. I’ve had recent conversations with data center operators on their desire to implement multi-factor authentication. There is increasing pressure from executives due to the severity and high profile of the attacks over the last year to secure the data center beyond usernames and password. Until this happens, we will continue seeing many more of these high profile attacks moving forward.”
Nir Krumer, Security Analyst, Cytetgic:
“As interesting and newsworthy as the SYNful Knock attack is, network device malware has been on the rise for quite some time and organizations needs to start planning ahead and addressing the growth of this new/old threat. It is definitely warrants attention despite the fact it has not yet been widely addressed, my guess is that we will start to encounter it and variants of it more often.
Network Devices (Routers and Switches) are the soft belly for any organization. They are the critical choke points for all the data transfer within the organization. For an attacker, they’re a gold mine since once they are taken over, the sky’s the limit. Nevertheless, network devices are a hard pickle to defend – configuration hardening, monitoring alerts, managing and updating thousands of devices is a complex and error-prone endeavor.
This attack vector underscores the importance of Defense in Depth, starting with the standard device hardening (changing default configuration, passwords, encrypted connections etc.), performing updates on a regular basis (software, firmware and hardware), monitoring configurations, network scanning (using FW and IPS) and deploying an even more advanced methods such as network anomaly detection. Some of these functions are more complicated than others, but practicing them religiously is the best way to prevent the success of these attacks.”
Lamar Bailey, leader of Tripwire’s Vulnerability and Exposures Research Team (VERT):
“Routers are one of the Holy Grail targets for attackers because they lie outside of many normal security protections. It appears that attackers have targeted specific routers and firmware versions and they are able to gain access to the routers via weak or default credentials. Once the router is compromised they overwrite the firmware with modified, malicious versions designed to run on the specific hardware.”
