The SYNful Knock attack successfully implanted altered versions of firmware into 14 Cisco routers in India, Mexico, the Philippines and Ukraine, according to FireEye, that gives full access to the devices, and researchers expect compromised machines to show up in more places and in other brands of routers.
SYNful Knock downloads software modules to customize further attacks and have been found in in Cisco 1841, 2811 and 3825 routers. It initially requires either physical access to routers or valid passwords; there is no software vulnerability being exploited, FireEye says in a blog post.
But the attack is vendor agnostic, meaning it would be just as effective on any router made by any other manufacturer. “It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence,” FireEye says.
The attacks start with gaining access using valid credentials - perhaps default passwords that went unchanged - and then installing the implants that modify the routers’ IOS operating systems. The implants give the attackers an alternative means of accessing the now-compromised machines for further exploitation, FireEye says.
That exploitation includes downloading updates.
Detecting SYNful Knock can be difficult because once it makes the initial entry, it uses non-standard packets as a means of authentication to the backdoor, FireEye says.
“This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead,” the blog says.
Cisco acknowledges the attacks and recommends steps to detect and mitigate these attacks. “SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image,” Cisco says in a blog post.
The software is designed to hide its presence well, FireEye says. “To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router,” the post says.