A bit more about the Cisco router break-in.
It seems that the rogue software has been found in routers in Ukraine, Phillipines, Mexico and India.
Mandiant, a FireEye company, has discovered the next evolution in persistence currently being used in the wild. Once thought to be only theory, implanted routers are now very much a reality. While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers.
Routers maintain critical positions as they are located on the boundaries of a network as well as in the core. Ironically, these critical devices often get overlooked for endpoints, mobile devices, and servers when it comes time to respond to an attack. However, a router implanted with a backdoor provides attackers a very easy entry point to establish a foothold and compromise other hosts and critical data.
The team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India.
The theoretical nature of router-focused attacks created a mindset within our industry to focus on building more walls around the perimeter, leading many organisations exposed when it comes to foundational devices like routers.
How big is the impact of such an attack?
No company can exist today without heavily relying on being connected to the Internet. Imagine for a second that every bit of data going in and out of these companies could be compromised without any knowledge of it. You might first assume that all of the databases or servers would need to be under attacker-control. But the routers’ position on the edge of the network can now be turned against you to achieve this goal.
“As we saw with attackers adopting nascent services like Twitter and Microsoft TechNet to carry out their attacks and obfuscate their activity, we see here that a very uncommon attack vector has opened a worldwide threat that is highly difficult to detect,” Mandiant said.
According to Cisco, “In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices’ privileged position within the IT infrastructure. In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure.”
The implant uses techniques that make it very difficult to detect. A clandestine modification of the routers firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.
“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor). As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe,” Mandiant added.
Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.