The last several months have been plagued by countless reports of hardware routers being exploited by hackers for various reasons. Popular router brands including Belkin, Net Gear, and Linksys have all been targeted by cybercriminals and used as botnets to launch DDoS attacks. In fact, the PlayStation and Xbox Live networks were both taken offline by hackers using exploited routers as the basis for the attack. Mandiant, a sister company of Swedish security firm FireEye, recently uncovered a new router vulnerability that could mean big trouble for businesses around the world relying on Cisco routers. The backdoor malware, which has been named SYNful Knock by security researchers, is designed to compromise popular business-class Cisco routers and provides the hackers with escalated backdoor privileges to the entire network by modifying the router’s firmware image. This new malware variant is different than previous versions of malware designed to compromise consumer routers because the malware persists even after the router has been rebooted.
With some of the more notorious router hacks that have been uncovered over the last several months (including the exploit used to take down the Xbox Live and PlayStation gaming networks), if the affected router is rebooted, the malware is erased from the device’s memory and the router is no longer infected upon successful reboot. Unfortunately, SYNful Knock is persistent - even after the router is rebooted, the infected firmware image is still present and still provides a dangerous backdoor into the affected network. SYNful Knock relies on a modified version of the IOS operating system that is used on professional grade routers manufactured by Cisco, one of the most prominent manufacturers of business class networking equipment in the world.
According to Mandiant security researchers, the malware targets specific Cisco routers including model numbers 1841, 8211, and 3825. All of these routers are referred to as ‘integrated service routers’ and are commonly used by businesses in branch offices.
These router models are also commonly used by managed network service providers; companies that provide remote IT services to businesses large and small. So far, Mandiant has been able to confirm the presence of SYNful Knock on at least 14 routers currently being used by businesses in Mexico, India, Ukraine, and the Philippines although many more routers are likely to be infected as well. As news of this vulnerability spreads, it won’t be surprising to learn that SYNful Knock is installed on more routers in countries around the world as the vulnerability that makes this malware possible in the first place is found in all Cisco routers with the aforementioned model numbers - regardless of where in the world those routers are located.
Last month, Cisco published a security advisory warning customers that new attacks were being detected that attempted to install rogue firmware on routers manufactured by the company, but the discovery by Mandiant of live versions of this malware in the wild were only discovered in the last few days an published in a report by the Internet security firm. It’s worth noting that the affected routers are no longer sold as new equipment by Cisco, but there is no reason to believe that newer versions of these routers will not also be targeted by SYNful Knock or a similar threat in the near future. Apparently, SYNful Knock is not deployed through a conventional vulnerability within the firmware. Rather, the rogue firmware is installed via stolen administrative credentials. Interestingly enough, the hackers behind SYNful Knock took the time to ensure that the rogue firmware image is exactly the same size as the original firmware image to avoid detection by networking professionals accustomed to working with the IOS firmware installed on the Cisco hardware. Once this malware variant has been installed on a Cisco router using compromised login credentials, the rogue firmware creates a backdoor password that allows for privileged Telnet and console access.
Most business class Cisco routers rely on both Telnet and the console to make changes to the router configuration (instead of a GUI like consumer grade routers). The rogue firmware is also capable of listening for commands contained within specially crafted TCP SYN packets - which is how the rogue firmware got its name. This custom procedure is used by the hackers behind SYNful Knock as a way to instruct the firmware to inject malicious modules into the router’s memory. Although the backdoor password is persistent across device reboots, the malicious modules installed by SYNful Knock are not. In other words, these modules would need to be reinstalled after every device reboot. Any time a router is compromised, the results can be devastating; especially for businesses.
A compromised router gives the attackers the ability to see and even modify network traffic. Hackers can also redirect users to spoofed websites in an effort to gain additional information through various phishing techniques. Rogue firmware such as SYNful Knock can also be used to launch other nefarious attacks against servers and PCs within the network, even if those devices are typically isolated from Internet traffic using a combination of hardware and software firewalls.
Perhaps the biggest problem with malware designed to attack routers is that routers often don’t receive the same attention as PCs within a network, regardless of the network’s size. Most IT professionals expect employee workstations and application servers to be attacked and as such, spend most of their time and resources protecting these network components. Unfortunately, routers are not capable of running antivirus software making it even more difficult to identify a compromised router until it is too late. Although the reach of SYNful Knock appears to be rather limited at this time, there is no doubt that this threat - a threat that was thought to be impossible to achieve in a real-world scenario for years - is real and will most likely grow in popularity as an attack vector for hackers over the next several months.
With the holiday shopping season right around the corner, don’t be surprised if cybercriminals leverage this technique to infiltrate the networks of businesses in an attempt to install POS malware designed to sniff out payment card information. As of this writing, Cisco has not released a patch for this vulnerability but if your business uses Cisco routers within its network infrastructure, ensure that all administrative passwords are secure and regularly check for updates that could prevent a SYNful Knock infection from taking over your network.