14 DAY TRIAL // A new attack method has been observed in the wild by FireEye researchers, one in which attackers hide malware inside the firmware of Cisco routers, which is able to survive between reboots.
Routers and switches are regularly left out of security checklists inside almost all organizations, mainly because very few security engineers are educated enough to know they can harbor malware.
This general idea is also reinforced by the fact that most network equipment doesn't come technically equipped to run security software like firewalls, which, when coupled with the lack of attention from the company's staff, can leave a big security hole in the company's defenses.
Implanted Cisco firmware harbors the malware
This new attack method, named SYNful Knock by FireEye's researchers, relies on malicious actors gaining access to a router's login credentials and installing a modified version of IOS, a special operating system developed by Cisco for all of its modern network equipment.
While previous versions of router malware were always stored in the device's memory, this meant that restarting the router would usually clean out any infection, since the memory was wiped clean during a reboot.
By storing their malware in the operating system itself, which is stored on a flash drive and not the RAM, attackers have created a reusable entry point for their attacks.
This is because the malware provides a backdoor to the Cisco routers, which can be exploited remotely through the console or through Telnet.
The malware also lets attackers load modules via modified TCP packets
But the bad news don't end here. Besides the backdoor, the malware is also capable of listening to the router's ports, and of looking for specially-crafted TCP packets.
This allows attackers to control router behavior from afar, sending commands in the form of regular Internet traffic.
With the help of these commands, attackers could make the malware load special modules in the router's memory, which are then used to carry out various types of attacks, like sniffing traffic, redirecting users to specific Web pages, or participating in DDOS attacks.
Since the modules are loaded in the router's memory, a reboot usually removes them from infected devices. Unfortunately, this won't stop attackers, who could very easily load them again.
Only 14 routers infected with SYNful Knock for now
According to FireEye researchers, 14 infected routers were uncovered in India, Mexico, the Philippines, and Ukraine. All routers were in closed networks.
The affected models are Cisco 1841, 2811, and 3825. Cisco has stopped producing these router models, but FireEye researchers don't rule out the possibility that more recent models could be exploited as well.
Mandiant, the FireEye subsidiary which discovered the vulnerability, also provides some advice on how to prevent and mitigate these issues.