Cisco Routers In India Infected By Malware

by CXOtoday News Desk    Sep 16, 2015


Cisco routers in India, Ukraine, Philippines and Mexico have been attacked by a sophisticated malicious software that possibly allows cybercriminals to harvest huge amounts of data without being detected, according to security solutions firm FireEye. The US-based firm is a major supplier to many Indian telecom firms. Moreover, these routers are installed at strategic locations in India, including at AFNET and is considered as a secure communication network for Indian Air Force. 

The attack, which uses a highly sophisticated malicious software called SYNful Knock, has been implanted in routers made by Cisco, FireEye said in its report. Mandiant (a FireEye company) has confirmed the existence of at least 14 such router implants spread across the four different countries.

Cisco confirmed the attacks saying it has recently alerted its customers to a new sort of attack against networking devices. ”In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices’ privileged position within the IT infrastructure.  In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure,” the company said in a statement.

The implant uses techniques that make it very difficult to detect. A clandestine modification of the routers firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.

“These attacks do not exploit vulnerabilities, but instead use compromised credentials or physical access to install malware on network devices. We’ve shared guidance on how customers can harden their network and prevent, detect and remediate this type of attack,” a Cisco spokesperson said.

FireEye said the router’s position in the network makes it an ideal target for re-entry or further infection.  ”The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead,” it said, adding that hackers attack routers as they operate outside the boundaries of firewalls, anti-virus and other security tools that organisations use to safeguard their data traffic. 

“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor). As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe,” say FireEye researchers.