Hackers use rogue backdoor in Cisco routers to launch cyber attacks against four countries including India
Security researchers from Mandiant, which is the computer forensic arm of U.S. security research firm FireEye have detected a real-world attack that has installed rogue firmware on business routers in four countries. It possibly allows cybercriminals to harvest huge amounts of data without being detected by existing cybersecurity defenses.
The attacks replace the operating system used in network equipment from Cisco, the world’s biggest maker of routers, said Mandiant on Tuesday.
The router implant, dubbed SYNful Knock, provides attackers with highly privileged backdoor access to the affected devices and continues to exist even across reboots. This is different than the typical malware found on consumer routers, which gets removed from the memory when the device is restarted.
SYNful Knock is a modified version of the IOS operating system that runs on professional routers and switches made by Cisco Systems. So far it was found by Mandiant researchers on Cisco 1841, 8211 and 3825 “integrated services routers,” which are typically used by businesses in their branch offices or by providers of managed network services.
Mandiant, which specializes in incident response services, have found at least 14 such router implants spread across Ukraine, Philippines, Mexico and India. Cisco confirmed the attacks saying it has published a security advisory in August and notified its customers to a new sort of attack against networking devices. They have also shared guidance on how customers can harden their network and prevent, detect and remediate this type of attack.
“We have only been able to prove its existence in the wild for actual attacks on Cisco routers, but we actually believe that Huawei routers or Juniper routers have the same vulnerabilities and ultimately can be exploited in a similar way. The mass of the router architecture of the world is at risk,” said Dave DeWalt, the CEO of security company FireEye Inc. which owns Mandiant.
Indian Air Force secured communication network, AFNET, telecom operators and several other government departments use Cisco routers. However, it could not be confirmed which routers were compromised.
“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems,” FireEye researchers wrote in Tuesday’s post. “This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.”
Though these attacks do not exploit susceptibilities, they instead use physical access or compromised credentials to install malware on network devices. The router’s position in the network makes it an ideal target for re-entry or further infection, said FireEye.
Hackers attack routers as they operate outside the boundaries of firewalls, anti-virus and other security tools that organisations use to safeguard their data traffic. FireEye said it was only announcing its discovery after working with Cisco to quietly notify governments and affected parties. “We thought it was best to release this so everyone can fix their routers as fast as possible,” DeWalt said.