SYNful Knock Attack Against Cisco Routers

FireEye is reporting the discovery of persistent malware that compromises Cisco routers:

While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India. […] The implant uses techniques that make it very difficult to detect. A clandestine modification of the router’s firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.

I don’t know if the attack is related to this attack against Cisco routers discovered in August.

As I wrote then, this is very much the sort of attack you’d expect from a government eavesdropping agency. We know, for example, that the NSA likes to attack routers. If I had to guess, I would guess that this is an NSA exploit. (Note the lack of Five Eyes countries in the target list.)

Posted on September 21, 2015 at 11:45 AM • 23 Comments