Attack on Cisco Routers Proves That Barbarians Can, Have and Will Circumvent the Gates

By Peter Bernstein September 17, 2015

Hopefully, you haven’t been asleep at the router the past few days. If you have, you might have missed all the commotion regarding the finding of the security experts at Mandiant/FireEye: a router implant named “SYNful Knock”—named based on how the implanted software can jump from router to router using the device's syndication functions—has been found in 14 Cisco routers across India, Mexico, Philippines and Ukraine. 

Let’s just say the publication of their findings in the first of what appears to be a two-part series set off a flurry of activity. Some of the coverage is, per the norm, the general press bordering on hysteria. However, much of what we now know is certainly cause for consternation.

As security experts have been saying for the past several years, when it comes to cyberattacks the external barbarians figured out a while ago that they did not have to storm the gates to create havoc. In fact, they have a target rich environment thanks to an expansion of the vectors of vulnerability—think ninja tactics. As this revelation shows, even routers can be compromised. More disconcerting is what happens once the bad guys are behind the gates.

SYNful Knock in particular is a nasty piece of mischief given how hard it is to detect and remediate. In fact, speculation is that only a few nation-states have the resources to pull this off, and that this discovery may only be the tip of an iceberg that may have already persisted for over a year. 

The somewhat good news about this is that it involves the compromising of Cisco routers 1841, 2811 and 3825 which Cisco calls “Classics” and are discontinued although still supported. Indeed, therein lies a rub, as the installed base is both plentiful and strategically placed to say the least. 

Image via Shutterstock

Rather than go into the incredible detail provided by Mandiant/FireEye—which has given us incredible details about the attack and will be hosting a webinar, SYNful Knock-A Cisco Router Implant, on Friday, Sept. 18, 2015 at 11:00 am ET/8:00 am PT—suffice it to say, the term “Implant” is now something we are all likely to have embedded in our knowledge base, and as the blog says, “We hope that this post has advanced the understanding of this flexible and stealthy router implant. It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence. In the next part of this series, we will examine methods that can be used to passively and actively detect this implant.”

As FireEye Chief Executive Dave DeWalt told Reuters, "If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router . . . This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool."

The Cisco Reaction

FireEye said it was only announcing its discovery after working with Cisco to notify governments and affected parties. It is why it is useful to read in full Cisco’s own timely blog by Omar Santos Incident Manager, Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations, SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks, on the subject.

As Santos notes, Cisco did quietly notify customers. Plus, he provided a short description of SYNful Knock that is worth a quick read: “SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.”  

The blog contains a series of useful descriptions and links not the least of which is that Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

Visibility, Analytics and Vigilance are Key

It should almost go without saying that the items in the above sub-heading fall into what might be considered a “keen grasp of the obvious” category, but they nevertheless bear repeating. In addition, it should be noted that the advice in the Cisco blog was echoed by one of the slew of security professionals who reached out to me with their views. Lamar Bailey, security specialist and leader of Tripwire's Vulnerability and Exposures Research Team (VERT) had representative commentary in explaining that:   

“Routers are one of the Holy Grail targets for attackers because they lie outside of many normal security protections. It appears that attackers have targeted specific routers and firmware versions and they are able to gain access to the routers via weak or default credentials. Once the router is compromised they overwrite the firmware with modified, malicious versions designed to run on the specific hardware.

It’s likely that these attackers have likely either bought these routers new or purchased new ones off eBay in order to reverse engineered the firmware in order to create malicious version. Modifying firmware for your own needs or to add new features is a common practice and has been used to great success on home routers and access points (see, etc.) This is just the same practice used on a grander scale in order to facilitate cybercrime. The new firmware operates like the original but has some added features that allow the attackers to snoop on the traffic passing through the device.  

In order to protect themselves, organizations need to tightly control access to their routers, use strong passwords, and monitor them closely for configuration changes that can indicate compromise.”

Finally, as has been the case when these things get exposed the old marketing communications and crises management consultant in me likes to see how the impacted company is dealing with the situation. It is fair to say, while still early, that Cisco has done a reasonable job in terms of letting impacted customers know, having recommendations for remediation, and suggesting practices to help avoid problems in the future. Unlike retailers, financial institutions, healthcare providers and even the government, to its credit Cisco’s response once this went public has been measured and appropriate. 

What is a bit surprising is there is no mention of the blog on the company home page at all and you have to go to the bottom and click on Security Advisories to get to the root cause of the commotion. However, at least they are being as transparent as possible.

This may not keep the barbarians from Cisco or any other vendor’s gates, but hopefully it will increase awareness that “E”verything is potentially vulnerable and having real-time visibilities into any and all anomalous activities may not be 100 percent perfect for deterring cyberattacks, but it sure beats the alternatives. 

Related Articles

Why Blockchain Could Be a Gamechanger

By: Paula Bernier    1/22/2018

Blockchain has become closely associated with the controversial topic of cryptocurrency. And that's fine because blockchain is an enabling technology …

Read More

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More