Cisco router 'SYNful Knock' compromise dissected by FireEye

Just as well only three lines of Cisco routers are affected by critical security flaw

Security services company FireEye has published an analysis of new exploits being conducted against Cisco routers, which seek to permanent compromise targeted devices.

The attacks, which have been dubbed "SYNful Knock", are capable of modifying the firmware of the Cisco routers, enabling the attackers to acquire a persistent presence on corporate networks under the radar of typically used security software and techniques.

FireEye claims that the attackers use a modified IOS image - IOS being Cisco's router operating system - and simply use default or stolen login credentials to gain access to the routers.

"The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret back door password," according to the analysis by FireEye's Bill Hau, vice president of security consulting services, and technical director Tony Lee.

It continues: "Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface."

Fortunately, the list of Cisco hardware affected is (currently) restricted to just the Cisco 1841, 2811 and 3825 routers.

"The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router's volatile memory and will not be available for use after reboot. From a forensic standpoint, if the modules are loaded in volatile memory, one can analyse them by obtaining a core dump of the router image."

Finding out whether a router has been compromised is relatively straightforward, according to FireEye. "The simplest way to determine if the router has been modified is to use the "show platform | include RO, Valid" command. The IOS image may have been tampered with to allow the modification of executable code if no results are displayed."

Attackers can make use of the backdoor password in three different ways, including via the console or telnetting into the device. "The implant will first check to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials. This ensures that the least amount of suspicion is raised... Research has shown that SSH or HTTPS sessions do not provide access for the backdoor password. This could be a configuration issue and may vary on compromise."

FireEye has recommended that organisations running Cisco routers should conduct a security analysis of the hardware straight away, as a compromised Cisco router will almost inevitably mean that other parts of the organisation's infrastructure will have been compromised.

"The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead," it warns.

Footnote: Tony Lee's previous job title at FireEye was "mad scientist", according to his LinkedIn profile