Cisco Networking Devices Compromised by SYNful Knock Attack

Update: 23rd September 2015:
The 2 blog posts mentioned below that were written by FireEye found that the SYNful Knock had affected at least 14 routers in countries such as Mexico, Ukraine, India, and the Philippines. However joint research carried out by Cisco and Shadowserver has shown that 199 unique IP addresses are exhibiting SYNful Knock behavior.

ShadowServer’s result are shown within this blog post (which contains further advice on how to prevent this attack affecting your Cisco routers). They intend to keep these statistics updated as time progresses.

In addition, Cisco has created a page regarding SYNful Knock containing useful resources on how to detect and prevent this attack. Their blog post also mentions a Snort Rule (an IPS (defined)) which can be used to detect this attack.

I hope that above additional resources are useful to you in protecting/remediating your network.
Thank you.

Original Post:
Last week a series of blog posts were published by FireEye which provide in-depth technical details of an attack named “SYNful Knock”.

In a previous blog post I mentioned that Cisco had released security updates to address an issue that would allow an attacker to install a compromised/tampered with version of the Cisco IOS operating system on Cisco networking devices. SYNful Knock is a very similar attack that carries out those actions to replace the legitimate Cisco IOS with one that can be completely controlled by the attacker by their inclusion of a backdoor (defined).

Why Should This Issue Be Considered Serious?
The exact purpose of this attack is not clear but the result of replacing the legitimate Cisco IOS with a version controlled by an attacker will allow them to conduct surveillance on the data passing through the network device, control all functions/settings of the device as well as using these devices as highly stealthy “beachheads” with which to launch further attacks. Attackers can also direct legitimate users to spoofed websites, carry out data theft and/or denial of service attacks (defined) since your routers could be made to no longer carry out their role/function.

In addition, due to the above mentioned stealthy nature of this attack, it is more difficult than usual to detect whether your Cisco networking devices have been compromised. As noted in this article, Tony Lee of FireEye mentions that this attack is not likely to be the first and only time the Cisco IOS is modified in a stealthy manner and that very similar attacks and more sophisticated attacks are likely to occur in the future.

Moreover this attack affects multiple Cisco networking devices, specifically:

Cisco 1841 router
Cisco 2811 router
Cisco 3825 router

As noted by FireEye, it is very likely that further devices are vulnerable to this attack due to similarities throughout Cisco’s networking devices and since they share the same IOS operating system.

How Can I Protect Myself From This Issue?
FireEye have dedicated a blog post detailing methods used to detect if your Cisco devices are compromised.

If this is the case, they recommend re-imaging your Cisco device with a clean IOS image obtained from Cisco. You can verify that the image is clean “as intended” by checking that the hash value (defined) from Cisco matches the hash value of the image that you have downloaded.

Furthermore FireEye recommend hardening your devices against future attacks of this nature.

Most importantly as noted by FireEye make sure that if you have to re-image a router that it’s settings are customized to meet your needs and that default usernames and passwords are not used.

Finally, it is believed that this attack occurs due to compromised credentials (username and password) being used to initially access the router to carry out the attack or that the credentials are left at the default settings. However as again noted by FireEye if you know that your router did not use default credentials you may need to begin sweeping every device on your network looking for signs of compromise since the attack will most likely have already come from a compromised system/device within your network.

The Mitigation section of FireEye’s second blog post provides a link to a whitepaper to share among your incident response team should a network sweep become necessary.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.