Attacks leverage a modified Cisco IOS image Credit: Thinkstock Researchers at FireEye have discovered fourteen compromised Cisco routers, in four different countries, suggesting an attack vector once thought theoretical in nature has now become a reality.In a blog post on Tuesday, FireEye reported the discovery of compromised Cisco devices in Ukraine, Philippines, Mexico, and India.The attack is being called SYNful Knock. Fancy names aside, what the attackers are doing is levering default or discovered credentials to modify the router’s firmware in order to maintain persistence on a victim’s network.“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password,” the blog post explains. “Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.”So far, Cisco 1841, 2811, and 3825 routers are known to be affected, but FireEye believes other models are vulnerable as well. When the modified Cisco IOS image is loaded, persistence is maintained even after a reboot, but the modules loaded by the attacker only exist in volatile memory, meaning a reboot will drop them.“The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules,” explained FireEye’s Bill Hau and Tony Lee.“Depending on router hardware, certain ranges of memory addresses are typically read only executable code sections. The simplest way to determine if the router has been modified is to use the “show platform | include RO, Valid” command. The IOS image may have been tampered with to allow the modification of executable code if no results are displayed.”The FireEye blog post is the first of two. The follow-up will explain how to detect the implants, both passively and actively. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe