beckmarkwith - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Cisco router malware in the wild more widespread than first believed

News roundup: Additional research shows a Cisco router implant affects more devices than originally reported. Plus: Let's Encrypt's first cert issued; Tor in the library; the mitigated (but not fixed) iOS AirDrop vulnerability.

A router malware issue first exposed by FireEye Inc. earlier this week may be more prevalent than initially thought, additional research has shown.

FireEye Mandiant reported Tuesday that at least 14 instances of a router malware -- dubbed "SYNful Knock" -- exists across four countries including Ukraine, Philippines, Mexico and India. However, further investigation found the number could be nearly six times that original estimate.

Router implants found in the wild

The attack described by researchers involves an attacker implanting a modified Cisco IOS image, thereby allowing the attacker to load malicious modules into the router. According to researchers' report, this implant "provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using specifically crafted TCP packets sent to the router's interface."

It is a "stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and, thus, can be updated once implanted," according to the FireEye report.

Unlike other common router malware, SYNful Knock persists after rebooting. However, the malicious modules added onto victim routers do not survive a reboot.

Mandiant researchers found the implants in enterprise-grade 1841, 2811 and 8825 routers from Cisco Systems Inc., though they believe "other models are likely affected based on the similarity in core functionality and the IOS code base." These particular routers are discontinued, but still supported by Cisco.

Omar Santos, incident manager of the Cisco Product Security Incident Response Team, wrote in a blog post published Tuesday that the Cisco PSIRT worked with Mandiant researchers and confirmed the attack did not exploit a flaw in the router itself; the initial attack vector likely involved default or stolen credentials, or physical access of the victim device.

More widespread than first believed

A group of researchers found the issue is more widespread than Mandiant researchers' conclusions.

Researchers from the University of Michigan, University of California at Berkeley and International Computer Science Institute determined that because the router implant is "fingerprintable," they could scan for infected servers using specially crafted TCP SYN packets without exploiting the flaw.

Using the Zmap tool, researchers scanned the public IPv4 address space four times and found a total of 79 hosts displaying behavior consistent with the SYNful Knock router malware across 19 different countries.

While the researchers did not notice any correlation between those infected, they noted a surprising number of the routers were in Africa and Asia, as compared to IP allocations. They also found 25 infected routers in the U.S., all belonging to a single ISP on the East Coast. All the routers in Germany and Lebanon belonged to a single satellite provider servicing Africa.

The future of router security

As Mandiant researchers noted in their blog post, "Router implants have been largely believed to be theoretical in nature and, especially, in use."

However, now that router malware has been spotted in the wild, researchers are hopeful enterprise router security strategies will be improved.

"It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence," Mandiant researchers wrote. "The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts, and critical data using this as a very stealthy beachhead."

Lamar Bailey of Tripwire Inc.'s Vulnerability and Exposures Research Team said, "Routers are one of the Holy Grail targets for attackers because they lie outside of many normal security protections. It appears that attackers have targeted specific routers and firmware versions and they are able to gain access to the routers via weak or default credentials. Once the router is compromised they overwrite the firmware with modified, malicious versions designed to run on the specific hardware."

"If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router," FireEye CEO Dave DeWalt said in an interview with Reuters.

"This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool," he said.

Mandiant researchers published a second blog post on Tuesday, offering best practices for detecting router malware.

Cisco Talos published Snort Rule 36054 to help users detect attacks leveraging SYNful Knock malware. The company also released an advisory in August warning about attacks involving firmware implants.

In other news

  • The first-ever certificate from the free, automated, open source Let's Encrypt certificate authority was issued Monday, a major milestone for the company that was first introduced in November 2014. The collaboration between the Electronic Frontier Foundation, Mozilla Corp., Cisco Systems Inc., Akamai Technologies Inc., IdenTrust Inc. and researchers at the University of Michigan was created to "revolutionize encryption on websites, making HTTPS implementation a seamless, no-cost option for anyone with a domain." Let's Encrypt created a site to showcase its first certificate. While the organization's cross signature is not available yet, the certificate will work for users with the Internet Security Research Group (ISRG) root in their trusted root store. ISRG Executive Director Josh Aas said the cross signature will be completed in approximately one month.
  • Collaboration between the Library Freedom Project and the Tor Project made headlines this week as the pilot library -- which received concerns last week from the Department of Homeland Security (DHS) and local law enforcement -- reactivated the use of the anonymous browsing network. In July, the Library Freedom Project and Tor Project outfitted the Kilton Public Library in Lebanon, N.H., with Tor to allow library patrons to anonymously browse the Internet. After news of the Tor-enabled library emerged, the DHS and Lebanon police expressed concerns over illegal Tor activities. The library then suspended its Tor use. Lieutenant Matthew Isham of the Lebanon PD said, "For all the good that Tor may allow as far as speech, there is also the criminal side that would take advantage of that as well. We felt we needed to make the city aware of it." The Tor shutdown caused a backlash both online and at the library, with supporters petitioning and picketing to reinstate the Tor relay. After a meeting of the Board of Trustees Tuesday, a decision was made to uphold the Board's unanimous June decision to support Tor and turn the Tor pilot back on, despite government concerns. Interest in the Tor library initiative is growing. Library Freedom Project founder Alison Macrina said in a recent interview that about a dozen other libraries and community leaders have expressed interest in joining the cause.
  • While the iOS 9 update released Wednesday helps mitigate a flaw with a popular file-transfer feature on the OS, it does not provide a complete fix for the vulnerability. Security researcher Mark Dowd informed Apple more than a year ago about a vulnerability in which an attacker can install malware on a target device that has AirDrop enabled. Dowd used a directory traversal attack to exploit Airdrop, alter configuration files and replace legitimate apps with malware. Once infiltrated, the device must reboot for the attack to begin, but it works even if the user rejects the AirDrop transfer. The vulnerability affects iOS 7 and above, and Mac OS X Yosemite and beyond; an OS update -- OS X El Capitan version 10.11 -- will be available on Sept. 30. Dowd published a video demonstrating the attack and told Forbes that while Apple did not completely fix the flaw, it did add a sandbox to AirDrop in iOS 9 to prevent attackers from writing files to arbitrary locations on a device via the AirDrop service. However, Dowd warned that the bug may be exploitable across other programs in addition to AirDrop. Dowd refused to publish additional details of the flaw as the patch did not fix it, but said he will explain more about it at RuxCon next month. Users with vulnerable devices are urged to disable AirDrop until patched.

Next Steps

Identify and prevent router vulnerabilities and defend against router attacks

Learn more about certificate authority security, Tor use and iOS security

Dig Deeper on Network device security: Appliances, firewalls and switches