Hopefully, you haven’t been asleep at the router the past few days. If you have, you might have missed all the commotion regarding the finding of the security experts at Mandiant/FireEye: a router implant named “SYNful Knock”—named based on how the implanted software can jump from router to router using the device's syndication functions—has been found in 14 Cisco routers across India, Mexico, Philippines and Ukraine. 

Let’s just say the publication of their findings in the first of what appears to be a two-part series set off a flurry of activity. Some of the coverage is, per the norm, the general press bordering on hysteria. However, much of what we now know is certainly cause for consternation.

As security experts have been saying for the past several years, when it comes to cyberattacks the external barbarians figured out a while ago that they did not have to storm the gates to create havoc. In fact, they have a target rich environment thanks to an expansion of the vectors of vulnerability—think ninja tactics. As this revelation shows, even routers can be compromised. More disconcerting is what happens once the bad guys are behind the gates.

SYNful Knock in particular is a nasty piece of mischief given how hard it is to detect and remediate. In fact, speculation is that only a few nation-states have the resources to pull this off, and that this discovery may only be the tip of an iceberg that may have already persisted for over a year. 

The somewhat good news about this is that it involves the compromising of Cisco routers 1841, 2811 and 3825 which Cisco calls “Classics” and are discontinued although still supported. Indeed, therein lies a rub, as the installed base is both plentiful and strategically placed to say the least. 

Rather than go into the incredible detail provided by Mandiant/FireEye—which has given us incredible details about the attack and will be hosting a webinar, SYNful Knock-A Cisco Router Implant, on Friday, Sept. 18, 2015 at 11:00 am ET/8:00 am PT—suffice it to say, the term “Implant” is now something we are all likely to have embedded in our knowledge base, and as the blog says, “We hope that this post has advanced the understanding of this flexible and stealthy router implant. It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence. In the next part of this series, we will examine methods that can be used to passively and actively detect this implant.”

As FireEye Chief Executive Dave DeWalt told Reuters, "If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router . . . This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool."

The Cisco Reaction

FireEye said it was only announcing its discovery after working with Cisco to notify governments and affected parties. It is why it is useful to read in full Cisco’s own timely blog by Omar Santos Incident Manager, Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations, SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks, on the subject.

As Santos notes, Cisco did quietly notify customers. Plus, he provided a short description of SYNful Knock that is worth a quick read: “SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.”  

The blog contains a series of useful descriptions and links not the least of which is that Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

Visibility, Analytics and Vigilance are Key

It should almost go without saying that the items in the above sub-heading fall into what might be considered a “keen grasp of the obvious” category, but they nevertheless bear repeating. In addition, it should be noted that the advice in the Cisco blog was echoed by one of the slew of security professionals who reached out to me with their views. Lamar Bailey, security specialist and leader of Tripwire's Vulnerability and Exposures Research Team (VERT) had representative commentary in explaining that:   

“Routers are one of the Holy Grail targets for attackers because they lie outside of many normal security protections. It appears that attackers have targeted specific routers and firmware versions and they are able to gain access to the routers via weak or default credentials. Once the router is compromised they overwrite the firmware with modified, malicious versions designed to run on the specific hardware.

It’s likely that these attackers have likely either bought these routers new or purchased new ones off eBay in order to reverse engineered the firmware in order to create malicious version. Modifying firmware for your own needs or to add new features is a common practice and has been used to great success on home routers and access points (see https://www.dd-wrt.com/site/, https://openwrt.org/, http://www.polarcloud.com/tomato, etc.) This is just the same practice used on a grander scale in order to facilitate cybercrime. The new firmware operates like the original but has some added features that allow the attackers to snoop on the traffic passing through the device.  

In order to protect themselves, organizations need to tightly control access to their routers, use strong passwords, and monitor them closely for configuration changes that can indicate compromise.”

Finally, as has been the case when these things get exposed the old marketing communications and crises management consultant in me likes to see how the impacted company is dealing with the situation. It is fair to say, while still early, that Cisco has done a reasonable job in terms of letting impacted customers know, having recommendations for remediation, and suggesting practices to help avoid problems in the future. Unlike retailers, financial institutions, healthcare providers and even the government, to its credit Cisco’s response once this went public has been measured and appropriate. 

What is a bit surprising is there is no mention of the blog on the company home page at all and you have to go to the bottom and click on Security Advisories to get to the root cause of the commotion. However, at least they are being as transparent as possible.

This may not keep the barbarians from Cisco or any other vendor’s gates, but hopefully it will increase awareness that “E”verything is potentially vulnerable and having real-time visibilities into any and all anomalous activities may not be 100 percent perfect for deterring cyberattacks, but it sure beats the alternatives.