Security researchers at FireEye, Mandiant say they have uncovered previously unknown attacks on the Cisco routers, allowing hackers to harvest data while going undetected by existing cybersecurity defenses. Routers maintain critical positions as they are located on the boundaries of a network as well as in the core. A router implanted with a backdoor provides attackers a very easy entry point to establish a foothold and compromise other hosts and critical data.
While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India.
According to Cisco, "In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices' privileged position within the IT infrastructure. In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure."
Routers are attractive to hackers because they operate outside the perimeter of firewalls, anti-virus, behavioral detection software and other security tools that organizations use to safeguard data traffic.
The implant uses techniques that make it very difficult to detect. A clandestine modification of the router's firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.
The researchers said that addressing that new threat vector would require a different type of approach and would certainly reveal information about previously unknown compromises.
Cisco confirmed it had alerted customers to the attacks in August and said they were not due to any vulnerability in its own software. Instead, the attackers stole valid network administration credentials from targeted organizations or managed to gain for themselves physical access to the routers.