Attackers Take Over Cisco Routers With Malicious OS Image

Attackers have successfully taken control of Cisco routers in a new form of attack that involves replacing the router’s operating system, effectively granting unrestricted access to the network, the company confirmed on Tuesday.

The attack, which involves replacing the operating system image embedded in the router’s firmware with a modified version that grants control to an attacker, was previously believed to be “theoretical in nature and especially in use”, according to FireEye’s Mandiant unit, which discovered the malicious system images.

SYNful Knock

FireEye said it found at least 14 such router implants, using a firmware modification it called “SYNful Knock”, spread across the Ukraine, the Philippines, Mexico and India, but said it’s likely that there are more compromised routers that remain undiscovered.

The router compromise is difficult to spot due to the way in which it communicates with attackers, FireEye said.

“The presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication,” the company said in an advisory. “Finding backdoors within your network can be challenging; finding a router implant, even more so. The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems.”

The malaware is customisable and can be updated remotely, according to FireEye, and because it is a modification of the router’s firmware, it remains in place even if the device is restarted. However, the modules the malware is capable of loading exist only in the device’s volatile memory, and are erased with a hard restart, FireEye said.

The modified IOS image was found on Cisco’s 1841, 2811 and 3825 routers, but FireEye said it believes other models are probably also affected.

“The implant also provides unrestricted access using a secret backdoor password,” the company said in its advisory.

Undetected for at least a year

FireEye said the compromises didn’t appear to have made use of a security flaw, but rather required the attackers to use valid security credentials. The company speculated that the attackers could have gained access to devices in which the users relied upon default security settings that are publicly known, that the attackers gained knowledge of the security credentials in some other way, or that they had physical access to the affected devices.

FireEye said the compromises affected companies in various industries as well as government agencies, and appeared to have been in place for at least a year before being discovered.

Cisco said in a statement that it recommends users of networking products carry out regular operations aimed at preventing and detecting compromises.

The company previously warned of the possibility of such attacks in an advisory published last month.

Are you a security pro? Try our quiz!