Cisco routers attacked in four countries including India: Security firm FireEye

16 Sep 2015

Cisco routers in India, Ukraine, Philippines and Mexico had come under attack from a sophisticated malicious software that possibly allowed cybercriminals to filch huge amounts of data without being detected, security solutions firm FireEye said today.

Cisco routers were being used in Indian Air Force secured communication network AFNET, telecom operators and several other government departments.

It could, however, not be ascertained as to which routers were compromised.

The US-based firm was also a major supplier to many Indian telecom companies and the attack which used a highly sophisticated malicious software called SYNful Knock, had been implanted in routers made by Cisco, according to the report by FireEye.

''Mandiant (a FireEye company) can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico and India,'' it added.

Confirming the attacks, Cisco said it had recently alerted its customers to a new sort of attack against networking devices.

''These attacks do not exploit vulnerabilities, but instead use compromised credentials or physical access to install malware on network devices. We've shared guidance on how customers can harden their network and prevent, detect and remediate this type of attack,'' a Cisco spokesperson said.

SYNful Knock was a modification of the IOS operating system that ran on professional routers and switches made by Cisco Systems.

So far it had been found by Mandiant researchers on Cisco 1841, 8211 and 3825 "integrated services routers," which were typically used by businesses in their branch offices or by providers of managed network services.

Cisco has ceased sale of the models confirmed to be affected but there was no guarantee that newer models would not be targeted in the future or had not been already.

In a security advisory it published in August Cisco had warned customers about new attacks that installed rogue firmware on it routers.

The attackers had not used a vulnerability in the cases investigated by Mandiant, rather the SYNful Knock was implanted through default or stolen administrative credentials. The rogue firmware implemented a backdoor password for privileged Telnet and console access and also listened for commands contained in specifically crafted TCP SYN packets -- hence the name SYNful Knock.

"Finding backdoors within your network can be challenging; finding a router implant, even more so," the Mandiant security researchers said in a blog post yesterday. "This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead."