Malicious router implants open permanent entry points into target networks

“FireEye researchers have discovered 14 Cisco routers in India, Mexico, Philippines and Ukraine that have been implanted with malware that allows attackers to gain and keep access to the target organization’s networks.

“Routers maintain critical positions as they are located on the boundaries of a network as well as in the core. Ironically, these critical devices often get overlooked for endpoints, mobile devices, and servers when it comes time to respond to an attack,” the researchers explained. “However, a router implanted with a backdoor provides attackers a very easy entry point to establish a foothold and compromise other hosts and critical data.”

The attackers compromised the devices by modifying their firmware image, and they did so by employing the SYNful Knock implant.

The researchers believe that the attackers didn’t exploit a zero-day vulnerability to install the implants, but that they got their hands on login credentials (possibly default ones).

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password,” the researchers noted.

“Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.”

While the image persists after a reboot of the device, the modules are wiped as they reside in the routers volatile memory.

So far, attackers have been targeting three Cisco router series (1841, 2811, and 3825), but it’s likely that other devices are affected, too.

For more technical details about the malware and the attack process, check out this report. The researchers have indicated several ways how user can check whether their routers have been tampered with, but will also detail more methods for detecting this implant in the following days.

“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead,” they warned.

“Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.”

A month ago Cisco published an advisory warning about about in-the-wild attacks that resulted in attackers gaining and potentially keeping administrative access to a Cisco IOS device indefinitely by replacing the Cisco IOS ROMMON with a malicious ROMMON image.”

Don't miss