The SYNful Knock threat has been found in Cisco routers in India, Mexico, the Philippines and the Ukraine, and represents a new attack method and a way of parting companies from their data, Mandiant warned.
“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks using modified router images (regardless of vendor),” the company said in a statement that acts as a lure to a full report on the subject.
“As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe. Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.”
A report is available, as we say, but to be frank there is enough to worry us in the press statement alone. Mandiant said that the actual implant is hard to find, and that very few people are actually looking for it anyway.
“No company can exist today without heavily relying on being connected to the internet. Imagine for a second that every bit of data going in and out of these companies could be compromised without any knowledge of it,” the firm added.
“You might first assume that all of the databases or servers would need to be under attacker control. But the router’s position on the edge of the network can now be turned against you to achieve this goal.
“The implant uses techniques that make it very difficult to detect. A clandestine modification of the router’s firmware image can be used to maintain perpetual presence in an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.”
Cisco has been vocal about this sort of thing before, although those were slightly different circumstances. CEO John Chambers was responding to suggestions at the time that the US government was behind the hacked hardware.
Chambers said that such efforts were bad for business. Cisco has responded to the Mandiant report, thanking the firm for the information and using the opportunity to explain the lengths it goes to to ensure security.
Cisco and Mandiant worked together on the problem, and Cisco has released tools for picking up, and taking out, the vulnerability.