Massive Cisco Router Hack Hits At Least Four Countries

File/August 10, 2011 in San Jose, California.
Justin Sullivan/Getty Images

A cyber-security firm has discovered a virus called “SYNful Knock,” implanted by hackers in at least 14 Cisco routers in four different countries, that allows the hackers to monitor and control Internet traffic.

The number of routers affected doesn’t give a true picture of how serious this hack is, because each of those routers provided Internet traffic to numerous companies and government agencies, and the virus has reportedly been in place for more than a year. The volume of potentially compromised traffic is staggering.

The virus was discovered by Mandiant, the investigative unit of security firm FireEye. According to a Reuters report, Cisco confirmed the threat, alerted its customers, and worked with Mandiant to develop tools that could be used to detect the presence of SYNful Knock in infected systems. More infections will probably be discovered before all is said and done, because the “SYN” part of the infection’s name refers to its ability to spread between routers using their syndication functions. A year of undetected activity is a long time for such a virus to propagate.

According to Reuters, Cisco said “SYNful did not take advantage of any vulnerability in its own software. Instead it stole valid network administration credentials from organizations targeted in the attacks or by gaining physical access to their routers.”

Ominously, this means the infection could potentially affect routers from other manufacturers, as if spreading through Cisco’s extremely popular equipment wasn’t bad enough. According to Mandiant’s report, the Cisco routers known to have been attacked so far are models 1841, 2811, and 3825. The infected routers were located in India, Mexico, Ukraine, and the Philippines.

The security consultants warn that such router attacks, once considered only a theoretical menace, are “very much a reality and will most likely grow in popularity and prevalence.”

Mandiant describes SYNful KNock as “a stealthy modification of the routers firmware image that can be used to maintain persistence within a victim’s network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.”

“Maintaining persistence” is cyber-security lingo for hanging around invisibly and compromising a system in ways that are very difficult to detect. The earlier generation of virus programs, in an era of less powerful computer networks, tended to draw attention to themselves – that was often the point of creating the infestation, allowing digital vandals to sit back and enjoy the outraged cries of infected victims, charting how far their virus spread before it was snuffed out. Later hacks opened network access gateways that were exploited swiftly and brutally, leading to smash-and-grab data heists that were detected fairly quickly, leaving the hackers to scoot away with whatever databases they could snatch before alarms were raised.

“Persistence” attacks like SYNful Knock are designed to lurk undetected for months or years, giving the intruders plenty of time for stealthy mischief. Most of the big headline-grabbing hacks of recent years have involved persistence techniques. Many, like the Office of Personnel Management attack, and possibly this new router threat, began with the theft of legitimate user credentials, allowing the attackers to make their initial incursion as legitimate users whose presence raised no alarms.

Stealthy infestations like this are sometimes discovered when the hackers overplay their hand, and use the back door they’ve created to upload some less stealthy viral code, or take some other action that draws the attention of security forces. The Mandiant report doesn’t specify if that was how SYNful Knock was initially detected, but it does note that “impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems,” because it “provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.”

One of the tactics this virus uses to remain persistent within an infect router involves making itself part of the router’s operating system, setting itself up as a process that can be run every time the router is rebooted (so it doesn’t go away after reboots) and changing certain normally protected parts of the router’s memory to “read/write” access. This allowed the small and stealthy core code of the virus to pull in larger blocks of malware from the hackers’ websites every time the router was rebooted, effectively reloading itself over and over again.

The level of system compromise made possible by this virus is extremely disturbing. Using a simple telnet command – one of the most basic ways to access a device over the Internet – the hackers could punch their secret backdoor password into a prompt that would normally allow only very limited maintenance access to the router, and instantly gain “elevated” access that allowed them to do almost anything they wanted.

The hackers also had a way of forcing the router to lower its normal defenses against further penetration by sending a few specially-crafted packets of information. This is the behavior Mandiant exploited when designing a tool that could detect the presence of the SYNful implant on infected routers. Since it can be done from outside the network, this tool should allow security experts to check a large number of routers fairly quickly.

As the security firm points out, Internet routers tend to be situation outside of most defensive security layers, meaning this hack bypassed much of the protection corporations and governments pay billions of dollars to install on their systems. A Mandiant blog post on the growing threat of compromised routers notes that such penetrations can go undetected for long periods of time because “very few, if any, are monitoring these devices for compromise.”

“Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises,” warns Mandiant. That’s a chilling glimpse of news to come, if it turns out these router hacks have been employed to spread other forms of malware into compromised systems… or perhaps gather more legitimate user information from the data stream passing through infected routers, enabling further stealthy and persistent penetrations.


Please let us know if you're having issues with commenting.