Categories: Security

Attackers Take Over Cisco Routers With Malicious OS Image

Attackers have successfully taken control of Cisco routers in a new form of attack that involves replacing the router’s operating system, effectively granting unrestricted access to the network, the company confirmed on Tuesday.

The attack, which involves replacing the operating system image embedded in the router’s firmware with a modified version that grants control to an attacker, was previously believed to be “theoretical in nature and especially in use”, according to FireEye’s Mandiant unit, which discovered the malicious system images.

SYNful Knock

FireEye said it found at least 14 such router implants, using a firmware modification it called “SYNful Knock”, spread across the Ukraine, the Philippines, Mexico and India, but said it’s likely that there are more compromised routers that remain undiscovered.

The router compromise is difficult to spot due to the way in which it communicates with attackers, FireEye said.

“The presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication,” the company said in an advisory. “Finding backdoors within your network can be challenging; finding a router implant, even more so. The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems.”

The malaware is customisable and can be updated remotely, according to FireEye, and because it is a modification of the router’s firmware, it remains in place even if the device is restarted. However, the modules the malware is capable of loading exist only in the device’s volatile memory, and are erased with a hard restart, FireEye said.

The modified IOS image was found on Cisco’s 1841, 2811 and 3825 routers, but FireEye said it believes other models are probably also affected.

“The implant also provides unrestricted access using a secret backdoor password,” the company said in its advisory.

Undetected for at least a year

FireEye said the compromises didn’t appear to have made use of a security flaw, but rather required the attackers to use valid security credentials. The company speculated that the attackers could have gained access to devices in which the users relied upon default security settings that are publicly known, that the attackers gained knowledge of the security credentials in some other way, or that they had physical access to the affected devices.

FireEye said the compromises affected companies in various industries as well as government agencies, and appeared to have been in place for at least a year before being discovered.

Cisco said in a statement that it recommends users of networking products carry out regular operations aimed at preventing and detecting compromises.

The company previously warned of the possibility of such attacks in an advisory published last month.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago