More than a dozen compromised router infections have been found in the wild, all targeting Cisco kit as part of sophisticated attempts to hack into corporate and government networks.
Once considered only a theoretical risk, the finding of malware-infected routers by FireEye/Mandiant shows that the threat is all too real.
A backdoor-implanted router provides attackers with a foothold on targeted networks, allowing them to launch stepping-stone attacks on other hosts and back-end systems.
Attacks might be possible on any router technology, but all the real-world infections uncovered by FireEye/Mandiant involved devices made by Cisco. The Mandiant team found 14 instances of router implant, dubbed SYNful Knock, across four countries: Ukraine, the Philippines, Mexico, and India.
Last month, Cisco warned users to be careful after detecting malicious ROM images in the wild.
“Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” it warned. So FireEye has quantified and added a fresh perspective to an APT-style threat to enterprise security defenders that those paying attention have been aware about, thanks in no small part to the ongoing revelations from Edward Snowden.
The NSA practice of intercepting networking kit and installing backdoors before boxen reached customers became public in May 2014. Cisco responded this year by offering to send kit to vacant addresses in order to avoid NSA interception profiles. Whether such a basic ruse would fox determined spies consistently was always a bit doubtful and the latest findings from FireEye suggest miscreants have managed to implant malware on routers one way or another.
Although it might easily be assumed the prime target for criminal or state-sponsored hackers might be databases or servers, the position of routers on the edge of an enterprise network can readily be turned against potential victims to snoop on sensitive traffic. Such threats are difficult to detect and potentially deeply damaging, as Cisco itself warns in stressing the importance of integrity assurance to its customers.
According to Cisco:
In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behaviour of infrastructure devices due to the devices' privileged position within the IT infrastructure. In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure.
The implant uncovered by FireEye/Mandiant uses techniques that make it difficult to detect. A clandestine modification of the router firmware image can be utilised to maintain perpetual presence in an environment. The technique stands little risk of detection because very few, if any, organisations are monitoring these devices for compromise.
FireEye warns the router compromise tactic – rare at present – may become more common in future.
“The detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilising modified router images (regardless of vendor),” according to FireEye/Mandiant. “As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.”