Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Networking

Attackers Install Highly Persistent Malware Implants On Cisco Routers 168

itwbennett writes: Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on Cisco business routers in four countries. The router implant, dubbed SYNful Knock, implements a backdoor password for privileged Telnet and console access and also listens for commands contained in specifically crafted TCP SYN packets — hence the name SYNful Knock. In the cases investigated by Mandiant the SYNful Knock implant was not deployed through a vulnerability, but most likely through default or stolen administrative credentials.
This discussion has been archived. No new comments can be posted.

Attackers Install Highly Persistent Malware Implants On Cisco Routers

Comments Filter:
  • by Anonymous Coward

    One could consider that it was a NSA tool that was re-appropriated by criminals that discovered it.

    • by gweihir ( 88907 )

      Not really. It is not that hard to modify router firmware. Maybe on the level of hacking a C64 ROM. I did that back when I was a kid. Sure, it may take you a few weeks and you need a box to experiment on and an a few common reverse-engineering tools, but that is basically it.

  • by Anonymous Coward

    Does anybody know why this is HIGHLY PERSISTENT?, a firmware update wouldn't fix the issue?

    • by TWX ( 665546 )
      Makes me wonder if they've implemented something in the hacked firmware that prevents IOS from changing which IOS image it's booting from, such that one has to have local access to the router to update it through rommon.
      • well rommon is a debugger, so if you own that, you can inject yourself into IOS. It's not like IOS images are signed, or encrypted... Not that it matters i guess, everyone has to decrypt to RAM at some point.

        When you can't trust your hardware, you are basically fucked, but yeah IOS should be signed at least.

    • by gweihir ( 88907 )

      That would be simple: Patch the firmware update to protect it. Not new, not special and not difficult to do for somebody competent.

      • The lack of signature signed images and image verification for OS images, firmware/ROMMON, and such is fairly well known at this point. The fact it was well understood when I worked at Cisco from 1998-2009 and no one did anything about it is an altogether different issue. There are quite a few other fun exploits that can be run against newer switches and routers too - network automation and virtualization have created a ton of new opportunities. dg
        • by gweihir ( 88907 )

          I am not surprised. Businesses are never forward-thinking these days when it comes to technological advances that do not directly translate into more revenue.

    • by Cramer ( 69040 )

      Because it's done via an upgrade ROMMON, which has no verification method on a running system. Thus, persistent and undetectable. Once installed, it can prevent it's removal.

  • Really? (Score:4, Funny)

    by EmeraldBot ( 3513925 ) on Tuesday September 15, 2015 @10:06AM (#50524781)

    hence the name "SYNful Knock"

    ACK! That pun was SYNful too!

  • It's about time everyone had a long hard look at the software in their systems. Are they open enough for you to make the necessary fix should a problem arise?

    I am by no means a tech geek, but I have DD-WRT on my routers because I can actually change the things I need the router to do. Disabling features in the interest of making more money in a higher end model is kinda dickish, but when you realize that the same dickishness (pardon the crude grammar) is likely responsible for hardcoded logins, it's a sad

    • by Amouth ( 879122 ) on Tuesday September 15, 2015 @10:28AM (#50524911)

      I am by no means a tech geek, but I have DD-WRT on my routers because ...

      No offence but the fact that you are comparing your DD-WRT home router with a Cisco infrastructure device and asking why we trust these vendors really highlights your comment.

      Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on. I'm not saying it couldn't be done, but the Cisco IOS (and Juniper's OS) is an extremely specialized OS designed along with the hardware to serve a specific function.

      Now I will say that lately they are moving to more modular application based products (layer 4+) which are far more software based on marked up hardware, but for Core routers and switches (later 2/3 devices) there isn't really a quality substitute other than like in kind vendors hardware. At this point you just can't really "build your own" hardware and OS combo which can truly compete and be open source at the same time.

      • Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on.

        That used to be true, but now we have multiple PCI-E buses in our PCs and they actually have a staggering amount of bandwidth. What's missing now isn't appropriate backplanes but appropriate expansion cards. Someone should cook up a standard for routers based on ATX PCs, but instead of the expansion coming off the side of the motherboard where the ports are located, it would be across the whole top side of the motherboard. Plan for, say, 8U. Then you could also build machines which used riser cards to get o

        • by the time you get all the pieces assembled and working together and certified as working, it will be obsolete and you can throw it away and start over again

        • by Amouth ( 879122 )

          And at that point the level of engineering you are doing for the parts brings you back to bespoke purpose built hardware - now you need an OS and application which can manage it all which doesn't' yet exist for that hardware. All you would be doing is re-inventing the wheel to compete with the existing suppliers.

          so again back in the same camp

          • And at that point the level of engineering you are doing for the parts brings you back to bespoke purpose built hardware - now you need an OS and application which can manage it all which doesn't' yet exist for that hardware.

            If only you knew what you were talking about. You'd add support for the I/O chips to Linux (or whatever) as well as for the expansion cards. They would need a driver no matter what OS you meant to use them with, even Cisco IOS. And using PCI-E and a basically stock PC (but again, with a new chipset if necessary would explicitly avoid that problem!

            • I think you're on the right track. There's a methodology underway that has enough momentum that it's got it's own buzzword: SDN -- Software Defined Networking [wikipedia.org]

              it uses the very architecture you're suggesting: essentially a bunch of PCI cards working to form a network switching matrix.OpenFlow [wikipedia.org] is a standardized communications interface for controlling systems like SDN. Interesting reading.

      • I wouldn't say 'there is no comparison' between Cisco business and infrastructure devices and what people load a variant of Linux on - unless you mean that what most people run Linux on has far more horsepower, memory, and capability. The bulk of the Cisco routers, by volume, are branch boxes - these have relatively low performing CPUs and largely do packet forwarding in the CPU because there is no need for HW acceleration when you are running up to 1Gbps nowadays. Lately, since the advent of IOS-XE and N
      • Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on. I'm not saying it couldn't be done, but the Cisco IOS (and Juniper's OS) is an extremely specialized OS designed along with the hardware to serve a specific function.

        IOS is a monolithic disaster that runs completely in ring 0. Hardly something to be proud of. Juniper is BSD with a much more sane architecture.

        Now I will say that lately they are moving to more modular application based products (layer 4+) which are far more software based on marked up hardware, but for Core routers and switches (later 2/3 devices) there isn't really a quality substitute other than like in kind vendors hardware. At this point you just can't really "build your own" hardware and OS combo which can truly compete and be open source at the same time.

        The only thing general purpose computers don't have are specialized ASICs to perform table lookups and forward at scale. The way things are going with SDN routers will be nothing more than GPU like express interface cards that connect to a chassis backplane before too long.

  • by Moskit ( 32486 ) on Tuesday September 15, 2015 @10:26AM (#50524891)

    Cisco already published security advisory on that a month ago:
    http://tools.cisco.com/securit... [cisco.com]

    Attackers required either valid admin credentials or physical access to device to replace firmware. Such attacks were understood for a long time.

    Nevertheless it's interesting to observe increase in attacks against infrastructure itself, rather than bandwidth.

    • by gweihir ( 88907 )

      Indeed. Patching firmware when you have control over the hardware (or admin privileges) is something every self-respecting firmware coder and hacker can do. Not special. At all.

  • ... is why all* devices where the end user reasonably expects that he "owns/controls" the device need to have a way for end users to do a "real" factory-reset.

    *Super-cheap devices which are literally cheaper to replace than manage may be exceptions. With the "Internet of things" you may see future "smart" devices that cost less than $1 to replace.

    • The price argument is a bad one, it turns into just the excuse they use for not making a proper product.

  • show us the infection! I suspect it's in the bootroms (rommon), and it can insert into any IOS during the unzipping of IOS into ram (#######) ..

  • by bobbied ( 2522392 ) on Tuesday September 15, 2015 @10:57AM (#50525131)

    Problem solved... Just be careful about administrative access controls...

    Now I know a bunch of folks who don't lock down their Cisco gear before they put it into production and they get what they deserve. But for Pete's sake, you simply MUST protect your equipment and that means keeping control of administrative credentials on these systems. Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place so the general population at a site didn't have direct access to the network equipment administrative interfaces, PLUS I would be very careful about who had access to both the network and credentials necessary to access the equipment. Not to mention I'd pretty much lock down the TFTP resources on that network so only approved and fully vetted firmware ever got where it could be flashed.

    I worked for a company that didn't password protect their Cisco VTP domain on their switches or change the default admin passwords and used telnet consoles. Yea it was easy to add a switch, just wire the thing up and volia you got the VTP domain configuration pushed, worked great until an employee plugged in a factory fresh switch and deleted all the VLANS he saw on it. He unknowingly wiped the whole company's switching fabric clean (without backups, even in hard copy). It took 3 days to recover, during which time little business got done. They where extremely stupid.

    So, if you don't at least override the administrative defaults or don't manage your administrative credentials carefully, you are stupid and you get what you deserve in my book.

    • by gweihir ( 88907 )

      Indeed. "Problem located between keyboard and chair". The usual reason for such extreme security problems.

    • I am waiting for this to happen. Remote admin is only available on this port. That way you can have a secondary secure network for upgrading. Even if that is then connected to the net via a secondary router it would be easier to secure. When designing my home network I plan I running three networks.

      One open wireless AP for guests
      two a wired/ wireless network for my use. Netflix, smart tv etc, etc
      Third secure network accessible to the outside only through secure Vpn etc. for iot devices, cameras, smart h

      • I already do this at home, only I'll warn you it's expensive to buy the managed switches you will need.

        I've been using the old Linksys small business switches which are way out of support, have a quirky web interface that requires a very old version of IE to actually use and are generally limited to 100BaseT speeds. However, it allows me to have a switch fabric that is both redundant and available at all the points I need in my home. I have two active routers, both are OpenWRT based, one that faces my ISP

    • ...Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place...

      I wonder: What sort of equipment would you use for connecting the "primary network equipment" to the rest of the infrastructure?

      • Separate Infrastructure != separate equipment. Logical separation != Physical separation.

        I'd keep ALL administrative interfaces on a separate VLAN which does not logically connect to the network used by the rest of the world except at known points which are firewalled, controlled and monitored. Access to this VLAN would be limited to network admins who presented valid up to date credentials.

        • by Nkwe ( 604125 )

          Separate Infrastructure != separate equipment. Logical separation != Physical separation.

          I'd keep ALL administrative interfaces on a separate VLAN which does not logically connect to the network used by the rest of the world except at known points which are firewalled, controlled and monitored. Access to this VLAN would be limited to network admins who presented valid up to date credentials.

          If you consider firmware compromise, you have to forget about the isolation given to you by firewalls and VLANs. VLANs are only a logical separation, A VLAN is just a couple of extra bytes added to each network packet that you hope whatever is on the wire will honor. If the firmware of your network equipment is compromised, you can't depend VLAN isolation being honored.

          • For Pete's sake... I'm pretty sure that nobody is going to sneak in and comprise my firmware, unless of course they are a duly authorized administrative type and in that case the gig is up anyway, they can do *anything* they want on my network equipment if they can load firmware. The idea in that case is to MONITOR and catch the fact that unauthorized firmware has been loaded.

            Look there is NOTHING you can do to be 100% secure. One thing you simply cannot do anything about is your approved administrators.

          • by Bengie ( 1121981 )
            What you say is true, but only if one of the devices is already compromised. Chicken and Egg issue. In order to compromise a device by accessing its admin interface, you first need a compromised device that allows you to jump VLANs. Of course a VLAN ID miss-match or a miss-configured switch could allow a network device to forge packets that hop VLANs, assuming the switch has such a security issue, which has happened. Security is done in layers. Don't assume any layer is impervious.
  • If I'm paying 500~thousands of dollars for a big Cisco router then is it so much to ask for the persistent memory to be a removable SD card? The only writable memory that persists on a reboot should be removable and scannable in a third party system. Pull the card, check it out... maybe flash replacement firmware to the card separately, then plug it back into the router.

    I generally have this attitude with any firmware in any computer. Viruses are getting uploaded to them and how is the antiviral supposed to

Retirement means that when someone says "Have a nice day", you actually have a shot at it.

Working...