Smart Attacks Break into Routers

Monday, September 21, 2015 @ 05:09 PM gHale

Attacks across multiple countries are occurring on the routers that direct traffic around the Internet, potentially allowing attackers to cull huge levels of information while going undetected.

In the attacks, a highly sophisticated form of malicious software, called SYNful Knock, is in Cisco routers, said researchers at security firm FireEye.

Cisco Working on Security Appliances Holes
Cisco Patches Data Center Holes
Cisco Working on Fix ISE Hole
Attackers Taking Over Cisco Gear

Routers are attractive to attackers because they operate outside the perimeter of firewalls, anti-virus, behavioral detection software and other security tools that organizations use to safeguard data traffic. They were vulnerable to sustained denial-of-service attacks, but now things are looking a bit different.

“If you own the router, you own the data of all the companies and government organizations that sit behind that router,” said FireEye Chief Executive Dave DeWalt.

“This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool,” DeWalt said.

The attacks have hit multiple industries and government agencies, DeWalt said. In addition, the attack affects Cisco 1841, 2811, and 3825 series routers, but may also affect similar Cisco devices.

Cisco said it alerted customers to the attacks in August and said they were not due to any vulnerability in its own software. Instead, the attackers stole valid network administration credentials from targeted organizations or managed to gain for themselves physical access to the routers.

“We’ve shared guidance on how customers can harden their network, and prevent, detect and remediate this type of attack,” Cisco said in a statement.

FireEye’s computer forensic arm Mandiant has so far found 14 instances of the router implants in India, Mexico, Philippines and Ukraine, the company said in a blog post. It added that this may be just the tip of the iceberg in terms of yet-to-be-discovered attacks.

Indeed, another group of researchers decided to scan the public IPv4 address space for other affected devices. They found some.

“We completed four scans of the public IPv4 address space on September 15, 2015 and found 79 hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in 19 countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations),” according to a blog post from data collected by a team of computer scientists from the University of Michigan, UC Berkeley, and the International Computer Science Institute, including Zakir Durumeric, David Adrian, Paul Pearce, Drew Springall, Nicholas Weaver, and J. Alex Halderman.

All the 25 hosts affected in the U.S. belong to a single service provider on the East Coast, and those in Germany and Lebanon to a satellite provider that provides coverage to Africa.

Because the attacks actually replace the basic software controlling the routers, infections persist when devices shut off and restart. If and infection ends up found, FireEye said basic software used to control those routers would have to end up re-imaged, a time-consuming task for technicians.

Researchers said there are a small number of nations with cyber intelligence services capable of such attacks on network equipment, including those of Britain, China, Israel, Russia and the United States.

The malicious program has been nicknamed “SYNful,” a reference to SYN, the signal a router sends when it starts to communicate with another router, a process which the implant exploited, FireEye researchers said.

Network logs from infected routers suggest the attacks have been taking place for at least a year, DeWalt said.