In a blog post, Cisco confirmed that it’s alerted customers vulnerable to the malicious software.
The FireEye report gave no details about the organizations that the 14 infected routers belonged to and whether the people behind the attacks are working for a state-sponsored spy agency or a criminal organization motivated by financial gain. Instead, the attackers stole valid login credentials or gained physical access to the routers.
FireEye said the infected hardware devices uncovered so far include Cisco routers 1841, 2811 and 3825, all of which Cisco has discontinued selling but still supports. This attack allows hackers to plant data quietly within the routers, making it quite hard to detect.
“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor)”, FireEye’s announcement warned.
Mandiant, a subsidiary of cybersecurity firm FireEye that specializes in incident response services, has seen the rogue firmware on 14 routers in Mexico, Ukraine, India and the Philippines. “While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices’ privileged position within the IT infrastructure”, Cisco said.
The attacks, which have been dubbed “SYNful Knock“, are capable of modifying the firmware of the Cisco routers, enabling the attackers to acquire a persistent presence on corporate networks under the radar of typically used security software and techniques. “The implant also provides unrestricted access using a secret back door password”, according to the analysis by FireEye’s Bill Hau, vice president of security consulting services, and technical director Tony Lee. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The modules can be independent executable code or hooks within the routers’ IOS that provide functionality similar to the backdoor password. None of the models mentioned, however, are still being sold by Cisco.
This is different than the typical malware found on consumer routers, which gets removed from the memory when the device is restarted. While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers.
“This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead”, it said, adding that hackers attack routers as they operate outside the boundaries of firewalls, anti-virus and other security tools that organisations use to safeguard their data traffic.
Hitherto, infections of economic routers, whereas not unknown, have largely remained theoretical threats, DeWalt stated, as distinct from routers shoppers use at residence, which in accordance with media studies have been hit by malware in recent times.
View the original content and more from this author here: http://ift.tt/1KolqKQ
from hacker samurai http://ift.tt/1NF2vT4
via IFTTT
No comments:
Post a Comment