Tool helps
businesses detect routers running known version of newly discovered malicious
implant.
Cisco Systems
enterprise users now have a way to check if their network routers might have
been infected by the recently disclosed SYNful Knock malware.
The company
yesterday released a new Python script that organizations can use to scan their
networks for potentially infected routers. The free tool works by looking for
routers on the network that answer to the malware’s specific “knock,” William
McVey, technical lead at Cisco’s Talos Threat Intelligence group said in a blog
post
The tool can
be used to detect hosts compromised with currently known versions of SYNful
Knock, McVey said. “But it cannot establish that a network does not have
malware that might have evolved to use a different set of signatures,” he added
in a somewhat confusingly worded caveat.
"The tool
injects custom crafted packets at the Ethernet layer (layer 2) and monitors and
parses the responses,” McVey said. “This functionality requires that the tool
be run with root privileges.”
SYNful Knock is
basically malware code that allows attackers to gain nearly undetectable and
persistent remote control over certain Cisco business routers.
Security vendor
FireEye, which issued an alert on the issue last week, described it as a
malicious implant designed to replace and masquerade as the legitimate firmware
on a handful of now discontinued Cisco router models (Cisco 1841, Cisco 2811
and Cisco 3825). Other models are likely impacted as well, FireEye said, based
on its observation of the malware and the impacted systems.
SYNful Knock gives
attackers complete administrative control over a compromised router via a
backdoor password and provides them with a platform from which to launch
attacks against other systems and routers on the same network. at least
14 Cisco network routers, used by businesses to connect to the Internet,
infected with the poisoned implant.
Contrary to what
some might expect, the attack is not the result of a security flaw in any of
the affected Cisco products. Instead, in each case the attackers appear to have
managed to either gain actual physical access to the devices, or used
administrative credentials to break into the systems and plant the malware.
Attacks involving
the swapping out and replacing of firmware in a commercial-grade router with a
rogue version have up to now been considered largely theoretical. The
appearance of SYNful Knock suggests otherwise and shows that threat actors have
begun exploring ways to backdoor the critical network routers that
organizations use to connect to the Internet.
As FireEye noted in
its report last week, SYNful Knock could well be the first of a new kind of
attack tactic involving the use of modified router images to gain remote
control of the devices. The same kind of malicious firmware that was implanted
on the Cisco routers can be loaded on routers from other vendors as well.
“Routers are one of
the Holy Grail targets for attackers because they lie outside of many normal
security protections,” says Lamar Bailey, leader of Tripwire's Vulnerability
and Exposures Research Team. “Modifying firmware for your own needs or to add
new features is a common practice and has been used to great success on home
routers and access points,” Bailey says. “This is just the same practice used
on a grander scale.”
No comments:
Post a Comment