Researchers at FireEye have discovered fourteen compromised Cisco routers, in four different countries, suggesting an attack vector once thought theoretical in nature has now become a reality.
In a blog post on Tuesday, FireEye reported the discovery of compromised Cisco devices in Ukraine, Philippines, Mexico, and India.
The attack is being called SYNful Knock. Fancy names aside, what the attackers are doing is levering default or discovered credentials to modify the router's firmware in order to maintain persistence on a victim's network.
"The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password," the blog post explains.
"Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet."
So far, Cisco 1841, 2811, and 3825 routers are known to be affected, but FireEye believes other models are vulnerable as well.
When the modified Cisco IOS image is loaded, persistence is maintained even after a reboot, but the modules loaded by the attacker only exist in volatile memory, meaning a reboot will drop them.
"The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules," explained FireEye's Bill Hau and Tony Lee.
"Depending on router hardware, certain ranges of memory addresses are typically read only executable code sections. The simplest way to determine if the router has been modified is to use the "show platform | include RO, Valid" command. The IOS image may have been tampered with to allow the modification of executable code if no results are displayed."
The FireEye blog post is the first of two. The follow-up will explain how to detect the implants, both passively and actively.