More on SYNful knock in Cisco routers

A bit more about the Cisco router break-in.

It seems that the rogue software has been found in routers in Ukraine, Phillipines, Mexico and India.


Mandiant, a FireEye company, has discovered the next evolution in persistence currently being used in the wild. Once thought to be only theory, implanted routers are now very much a reality. While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers.

Routers maintain critical positions as they are located on the boundaries of a network as well as in the core. Ironically, these critical devices often get overlooked for endpoints, mobile devices, and servers when it comes time to respond to an attack. However, a router implanted with a backdoor provides attackers a very easy entry point to establish a foothold and compromise other hosts and critical data.

The team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India.

The theoretical nature of router-focused attacks created a mindset within our industry to focus on building more walls around the perimeter, leading many organisations exposed when it comes to foundational devices like routers.

How big is the impact of such an attack?

No company can exist today without heavily relying on being connected to the Internet. Imagine for a second that every bit of data going in and out of these companies could be compromised without any knowledge of it. You might first assume that all of the databases or servers would need to be under attacker-control. But the routers’ position on the edge of the network can now be turned against you to achieve this goal.

“As we saw with attackers adopting nascent services like Twitter and Microsoft TechNet to carry out their attacks and obfuscate their activity, we see here that a very uncommon attack vector has opened a worldwide threat that is highly difficult to detect,” Mandiant said.

According to Cisco, “In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices’ privileged position within the IT infrastructure.  In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure.”

The implant uses techniques that make it very difficult to detect. A clandestine modification of the routers firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.

“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor). As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe,” Mandiant added.

Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.

8 comments for “More on SYNful knock in Cisco routers

  1. Mercy
    September 17, 2015 at 12:42 pm

    The info on Cisco router break-in told us that no definate safety in this world. Attackers use his intelligence to bring changes to some systems for his own purpose. These changes may affect the running of the system, the security as privacy information being stolen and the worst is affect the procedure of the system, the technician needs to make a survey, it is wasting time and money. Some movies shows us that if you attack something, leave some comments how to revive it. This should be the moral development of the attackers. It is easy to attack less than 1 minute, but it is not easy to revive, it takes years, may be whole life in depression.

    • moses
      September 17, 2015 at 1:14 pm

      “It is easy to attack less than 1 minute”

      That 1-minute attack may have taken years of study and research 🙂

      Movies never shown the hard work put in by the attacker 🙂

      • Mercy Hu
        September 17, 2015 at 9:57 pm

        I agreed that 1 minute take years to do research. However, people do research for improvement, if it brings disaster, better research for two alternatives before it brings the disaster.

  2. Mercy
    September 17, 2015 at 12:52 pm

    This means that, if you prepare to attack some system, you should do the minimum moral support to the system. Think of the effort that being done by the former technician.Think of the tears and sweat of other people being spend on the development of the system. Think of the consequences may happen to the developer of the system. If you dare to attack, dare to solve the problem that you create. Life is short, do something which is meaningful and not to destroy anything. Provide a turning point to others so that the world will be meaningful to others.

    • moses
      September 17, 2015 at 1:17 pm

      You are talking like a white hat 🙂

      Attacks are launched for many reasons – some times it is to destroy completely 🙂

  3. Mercy
    September 17, 2015 at 2:00 pm

    Cited from
    We hate attackers. It’s annoying. It hurts your site’s credibility and security. Time spent dealing with attackers is time stolen. We know you are clever and smart. Please don’t destroy everything. Please keep your moral support for the world.

    • moses
      September 17, 2015 at 3:24 pm

      “Time spent dealing with attackers is time stolen.”

      Time spent doing backups is time well spent 🙂

      Incidentally, I looked at your Akismet citation and it talks about spam and not related to hacks.

    • moses
      September 17, 2015 at 3:31 pm

      SYNful Knock is NOT spam.

Leave a Reply

Your email address will not be published. Required fields are marked *