SYNful Knock Malware Found on Almost 200 Cisco Routers

Scans of the Internet by Cisco and Shadowserver found more infected hardware than the 14 initially discovered earlier this month.

network security

Cisco Systems' problems with routers infected with the malicious firmware known as SYNful Knock continue to grow.

Cisco and Mandiant—a subsidiary of cyber security vendor FireEye—last week announced that 14 routers in four countries (India, Mexico, Ukraine and the Philippines) were infected with the malware, which can take over the hardware and offer attacks a backdoor access. Through this access, attackers can install other malware, gain control of Internet traffic, direct users to other sites, steal data and launch attacks against other devices.

The malware looks to compromise the IOS software on the Cisco routers.

Cisco officials, at the time, said they were taking steps to help customers deal with the infection, with a spokesman telling eWEEK that "these attacks do not exploit vulnerabilities, but instead use compromised credentials or physical access to install malware on network devices. We've shared guidance on how customers can harden their network, and prevent, detect and remediate this type of attack."

However, the networking vendor has also since been working with partner and cyber-crime organization Shadowserver Foundation, which found that the SYNful Knock malware had been detected on almost 200 routers in 31 countries worldwide. Cisco has been working with Shadowserver to scan the Internet to get a better count of infected systems.

"It is important to stress the severity of this malicious activity," Shadowserver officials wrote in a Sept. 21 post on the organization's blog. "Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority."

The warning echoed similar sentiments that FireEye officials talked about in a post on that company's blog when they initially announced the SYNful Knock findings Sept. 15.

"The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems," the researchers wrote. "This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead."

FireEye officials also told eWEEK that while Cisco routers were most likely targeted because of how many of them are in the market, other vendors' equipment also likely is at risk.

The infections hit a broad range of countries, from the United States, India and Russia to Iran, Vietnam, Costa Rica, Nigeria and Barbados.

Cisco has created an event response page for the SYNful Knock malware on its Website, and has unveiled steps to take to prevent infections, from hardening the devices and monitoring the network to establishing a baseline and analyzing anomalies or deviations from the baseline.

Cisco officials said that for years they've been on guard for attacks on networking devices and their credentials and the need to protect them, and in August issued a security bulletin about the evolution of attacks against platforms running Cisco's IOS software and how to harden the products.

"Given their role in a customer's infrastructure, networking devices are a valuable target for threat actors and should be protected as such," Omar Santos, incident manager for security research and operation for Cisco's Product Security Incident Response Team, wrote in a post on the company's blog following the Mandiant disclosure. "We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures."

Shadowserver officials said network administrators should monitor their networks for SYNful Knock using Snort rules aimed at the malware. "This will allow monitors to identify compromised machines within their network," they said.