Slashdot Mirror
Attackers Install Highly Persistent Malware Implants On Cisco Routers
itwbennett writes: Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on Cisco business routers in four countries. The router implant, dubbed SYNful Knock, implements a backdoor password for privileged Telnet and console access and also listens for commands contained in specifically crafted TCP SYN packets — hence the name SYNful Knock. In the cases investigated by Mandiant the SYNful Knock implant was not deployed through a vulnerability, but most likely through default or stolen administrative credentials.
As opposed to 'persistent'?
Hyperbole much?
One could consider that it was a NSA tool that was re-appropriated by criminals that discovered it.
Only an idiot exposes a Linux box directly to the Internet.
Does anybody know why this is HIGHLY PERSISTENT?, a firmware update wouldn't fix the issue?
ACK! That pun was SYNful too!
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
From TFA: "Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked. They're not protected by firewalls and don't have antimalware products running on them."
Huh?
Last time I checked the whole point of the router was that it's a limited-purpose device and it's management access was highly restricted, both in terms of credentials to access the management interface and of the networks that the management interface will communicate with.
Do not look into laser with remaining eye.
Time to break out the wrench and some drugs.
It's about time everyone had a long hard look at the software in their systems. Are they open enough for you to make the necessary fix should a problem arise?
I am by no means a tech geek, but I have DD-WRT on my routers because I can actually change the things I need the router to do. Disabling features in the interest of making more money in a higher end model is kinda dickish, but when you realize that the same dickishness (pardon the crude grammar) is likely responsible for hardcoded logins, it's a sad state of affairs.
Oh well.
-
Good thing there are plenty of FreeBSD and OpenBSD based systems on that list!
Sure, credentials. No way are these backdoors already installed on devices which are ordered from Cisco and delivered by the NSA.
Cisco already published security advisory on that a month ago:
http://tools.cisco.com/securit...
Attackers required either valid admin credentials or physical access to device to replace firmware. Such attacks were understood for a long time.
Nevertheless it's interesting to observe increase in attacks against infrastructure itself, rather than bandwidth.
The last Juniper box we had was configured through an unprotected root shell.
Pretty unbelievable.
Hackers are using telnet rather than ssh or some other encrypted path? I guess it might be okay to initially get in before something more sophisticated is set up, but it does seem rather primitive and prone to easy detection of the intrusion on the network.
So your fix is to replace Cisco appliances entirely with PCs. Could you point me towards a PC offering 60 Tbit/s of switching capacity? Heck, can you point me towards a standard PC that can push 60 Tbit/s through the processor?
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/datasheet-c78-729404.html
You half-wit! You couldn't even bother to read the summary, let alone the article.
This isn't manufacturer installed, or is it a manufacturer shortcoming. It is a stupid user issue. The attackers got the admin/root password and then installed malware. The same could happen to ANY router especially DD-WRT.
There is no manufacturer protection against stupid users failing to protect against remote access or the use of weak passwords.
P.S. Cisco != Linksys. The story is talking about real routers not you home use consumer crap.
How does that refute what I said? Or are you claiming that there are no Linux based systems on that list?
Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked.
Well no, because you have them racked in a locked cage in a locked room in a restricted access Datacenter. You have network access restricted and strong authentication and logging/audit systems in place. It doesn't need much "security attention" because it's a hell of a lot easier to harden than a user workstation and has far fewer "attack surfaces" compared to an application server.
They're not protected by firewalls
Show me an Enterprise or Carrier grade router which doesn't have a firewall. They all have them, whether or not they're enabled along with other security policies, access lists, etc. is a matter of who is in charge of them.
and don't have antimalware products
Of course they don't. Why the fuck would they? They ought to be running a signed image file from the manufacturer, which is trivial to validate if you're THAT concerned about it.
... is why all* devices where the end user reasonably expects that he "owns/controls" the device need to have a way for end users to do a "real" factory-reset.
*Super-cheap devices which are literally cheaper to replace than manage may be exceptions. With the "Internet of things" you may see future "smart" devices that cost less than $1 to replace.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
show us the infection! I suspect it's in the bootroms (rommon), and it can insert into any IOS during the unzipping of IOS into ram (#######) ..
Problem solved... Just be careful about administrative access controls...
Now I know a bunch of folks who don't lock down their Cisco gear before they put it into production and they get what they deserve. But for Pete's sake, you simply MUST protect your equipment and that means keeping control of administrative credentials on these systems. Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place so the general population at a site didn't have direct access to the network equipment administrative interfaces, PLUS I would be very careful about who had access to both the network and credentials necessary to access the equipment. Not to mention I'd pretty much lock down the TFTP resources on that network so only approved and fully vetted firmware ever got where it could be flashed.
I worked for a company that didn't password protect their Cisco VTP domain on their switches or change the default admin passwords and used telnet consoles. Yea it was easy to add a switch, just wire the thing up and volia you got the VTP domain configuration pushed, worked great until an employee plugged in a factory fresh switch and deleted all the VLANS he saw on it. He unknowingly wiped the whole company's switching fabric clean (without backups, even in hard copy). It took 3 days to recover, during which time little business got done. They where extremely stupid.
So, if you don't at least override the administrative defaults or don't manage your administrative credentials carefully, you are stupid and you get what you deserve in my book.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Well, that is the way people with an actual clue set it up. They may only ssh to the box with everything else off and a limited IP-range allowed for the source, or may use the serial port, via direct connection ("go there") or a hardened terminal server.
Unfortunately, many networking people are cheap and clueless and do what is most convenient. This is really the fault of management that hired cheaper than possible personnel, as has gotten so common in IT these days.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You don't have your router's admin interface limited to the admin VLAN, locked down to SSH with keys, and restricted the admin VLAN to VPN access or devices with no internet access?
Last time I checked the whole point of the router was that it's a limited-purpose device and it's management access was highly restricted, both in terms of credentials to access the management interface and of the networks that the management interface will communicate with.
Yes, and they typically don't have anti-virus or get as much scrutiny as a workstation. What's your point?
Great point, but to drive it home further, Cisco and Huawei both have core routers with petabit label routing.
See subject menial: They're still just dual NIC/dual homed pc's with RAM + an OS. The amount of RAM's the biggest difference and software to address it. Nothing more. What makes me laugh the most is what you're so "proud" of yourself for doing is merely using and working with what others built. You didn't create it yourself. That makes you a no creativity menial and you know it.
See subject: Downmod me bogusly & I'll burn you out of your abused modpoints, as I have NO LIMITS on how often I can post as ac (unlike most others here).
APK
P.S.=> I'll just keep reposting this until I make you realize you're fools messing with your betters (myself), dolts... apk
The amount of RAM's the biggest difference and software to address it. Nothing more.
So you say that cisco routers and home pcs have the same video cards, the same USB subsystems, the same power supplies? This is great, I'm looking forward to playing some high performance video games on a cisco router.
See subject: I had a "boss" (paper cne) once who said "CISCO never gets exploited" which was COMPLETE BULLSHIT even then (circa 2006) & I told him of it, + proved it via various exploits on their hardware + IOS that I found online...
* THIS IS EXACTLY THE TYPE OF EASILY FOOLED MORONS & their utter stupidities YOU GET WITH UNDEREDUCATED WANNABES WHO HAVE NEVER DONE THE JOB THEMSELVES, proven for years, HANDS ON & BEING IN CONTROL OF ANY GIVEN FIELD IN COMPANIES' MGT. STRATA!
(What always "blew my mind" was they are your "superiors" in the workplace - but they turn out to be ANYTHING but that...)
LASTLY: Downmod me unjustly again? READ & know I'll run you DRY of your "modpoints" fools -> http://tech.slashdot.org/comme...
APK
P.S.=> Unfortunately, that is the case 99% of the time, then - it's gotten BETTER now (just a wee bit) w/ companies being suckered by the "mgt." numbskulls of the kind that have NEVER DONE THE JOB THEMSELVES, for years, HANDS-ON - tech companies should NEVER, ever, make that mistake (but they do, quite a lot)... apk
At work, yes. At home, no.
Routers are just dual homed stripped down pc units. I can do the same with an old pc.
no, they are not. routers do packet filtering in hardware
certainly you can route with a PC, but without hardware filtering, you're slowing down the traffic
See subject: YOU SLOW IT DOWN! You're proving yourself a by rote menial with no understanding of computing right there. I can still get the job done minus a router which is only a pc that's dual homed, nothing more.
God damn it apk. I stuck up for you in the last thread. I thought you turned a new leaf.
A very low-end Cisco router could be described as "dual NIC/dual homed pc's with RAM + an OS." Most Cisco routers can take modules and WAN cards to expand their functionality beyond the one or two built-in NICs. Some Cisco routers don't even have NICs, just module and/or WAN slots.
http://www.cablesandkits.com/cisco-modules-c-50_83.html
I'll show you 50% of the Fortune 100 where I can SSH directly to a switch or router with no jump server in the dat path. I know of one organization where from a desktop I can SSH to over 75,000 network devices unfettered... dg
The discussion was about routers not protected by firewalls. Most home "routers" are firewalls. that being said, my above post is how I have my home network setup.
You can expand pc/servers too. A router's still a pc that's dual homed and it's nothing I can't do with an old pc. Fact.
Youe also hit on a fact I told him on filtering slowing you on *anything* (even @ router level). Routers are just dual homed pc units nothing more in hardware. Nothing you can't do with another pc, and not even a really good one.
Can your old PC can do what a $17,500 Cisco router can do?
The Cisco 4451-X offers a multicore CPU architecture running modular Cisco IOS XE software that dynamically adapts to the changing needs of your branch-office environment. The separation of the control and data planes provides the ability to deliver application-aware network services while maintaining a stable platform and a high level of performance during periods of heavy network load. With the ability to integrate application-aware services and the ability to scale performance without a complete equipment upgrade, the Cisco 4451-X offers exceptional total cost of ownership (TCO) savings and network agility through the intelligent integration of market-leading security, unified communications, and application services.
https://www.cdw.com/shop/products/Cisco-4451-X-Integrated-Services-Router-Application-Experience-with-Voice/3641687.aspx
You still trying to tell us you're not slowing down using filtering on routers? Wrong & see subject + http://tech.slashdot.org/comme...
Instead of pasting marketing bs: Old pc doesn't cost 18 grand + yes for all practical purposes http://tech.slashdot.org/comme... -
Take another read here also http://tech.slashdot.org/comme...
Most Cisco routers ARE NOT about basic routing. If it was, they would be out of business. You can keep beating this drum but you're obviously clueless of the differences between a DIY router and an enterprise router.
I'll show you 50% of the Fortune 100 where I can SSH directly to a switch or router with no jump server in the dat path.
Sounds interesting. Please proceed!
See here http://tech.slashdot.org/comme... and here http://tech.slashdot.org/comme... since you'd never make it in business spending for no good reason. Especially for ROI.
I am by no means a tech geek, but I have DD-WRT...
In other words you're admitting to not knowing what the fuck you're talking about. Yet you continue to spew bullshit.
Your statement might as well be: "I am by no means a tech geek, but I stayed at a Holiday Inn". Because that's exactly how relevant your DD-WRT experience is.
"routers do packet filtering in hardware"
Every 82599 network card in my PC does hardware-level packet filtering, try again.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I can do the job for most shops with a $1500 dual NIC pc, no router required. Your ROI for most places would be terrible. Don't consider management.
The point is that routers are far more secure and more easily secured than workstations. How does your breaking the law 75,000 times via a secure mechanism that you somehow managed to acquire or illegally retain authenticated access to refute the point?
See subject: Never going to happen! Good luck hitting a multi-point moving target opponent (can't be done).
* Haven't seen any of you shut me down on things technical in computing (just bogus downmods, all you understand how to do when you get floored to "hide" your fails)... & you CERTAINLY can't stop me from posting as much as I like either (which I do to RUN YOU DRY of your BOGUSLY ABUSED modpoints... works, every time too, lol! Why? I know YOU, better than YOU know yourselves!)
APK
P.S.=> Face facts: There's a reason why you networking menial dolts are the FALURES of computing - you don't have the skills & chops to do *ANYTHING* but use what guys like ME (coders) create for you to use, user (with a better password @ best/most)... apk
See subject: That's all -> http://tech.slashdot.org/comme...
Of course, the networking MENIALS did the ONLY THING THEY KNOW HOW TO DO, downmod me http://tech.slashdot.org/comme...
(Good, & that's JUST FINE by me, since you keep blowing those modpoints fools - you'll run out soon enough & I'll still be able to say this, again by reposting it, lol...)
* :)
(So let's see the "mighty networkers" here stop me... lol, they can't & they KNOW it - why? FACT: Minus guys like myself, coders, who create the tools for these MENIALS to merely "use" as USERS WITH A BETTER PASSWORD ONLY @ best/most? They're fucking helpless...)
APK
P.S.=> I hope they downmod me again - I'll be doing some other slob a favor running them DRY of their abused modpoints...
(Yes, it's THAT simple for me to do & it works, every single time, lol... why? Well, easy - I know those dolts & 'their kind', lowest of the LOW online, better than they know themselves & they'll "ReAcT" the ONLY WAY THEY KNOW HOW, when faced with truths & defeat - bogus downmods - which I will remove their abilities in eventually by running them out of modpoints by simply reposting on my part - NO LIMITS here, they are limited)... apk
Thanks for clearly demonstrating that you cannot do it.
The rest of your posts are just meaningless drivel, with which you're digging the hole you're standing in ever deeper. Apparently, you're not even aware...
"Everyone needs to spend 1 million on a router!" (not). Only fools do that. Most shops don't need CISCO routers. They can build one from a PC or Server for $1500 tops and do the job easily. See my subject. The logic in it will shut you down right there. I doubt you drive an 18 wheeler to work instead of a car or motorcycle.
Odd you avoid his question (not). Go on. Spend 1 million on a router fool. I won't. No need by far for 99.999% of shops to do the job
Of course the majority of shops don't need equipment like that. Whoever suggested that? I certainly didn't. I have no intention of spending a million dollars on a router. I don't need that kind of capacity.
However: The parent poster clearly stated the ability to cobble together whatever's needed in terms of routing using basically any old pc and a couple of NICs. Something that would be equal to, or even better than, anything router-specific out there.
That's obviously not a true statement, easily shown by referencing just a single one of the more advanced routers out there.
Not sure why you'd call me a fool for calling the parent poster out when clearly lying.
Personally, I do just fine with PC-grade equipment for all my routing needs.
(I could be snarky here, but I won't.)
Provingrouters can't do what pc's/servers can including acting as routers. Routers can't do all a pc can.
The router should add a physical switch to prevent writes to the persistent memory.
Most shops don't need an advanced routers like ISPs would. Most get by w\ less than what that poster said.
Everyone needs a million dollar router too (not). You don't even know filtering @ router level slows you too http://tech.slashdot.org/comme...
I filter using hosts files vs. threats & slowdowns online BUT I get back speed via adblocking + hardcoded fav sites @ the TOP of my hosts file. Ads represent up to 50% of many sites now, HUGE savings there (& yes, I am filtering) + calling out to LOCAL RAM caching the hosts file for those favs @ the TOP of hosts is by FAR faster than calling out to remote DNS servers!
* Just using what you have already, natively, built-in that is by DEFAULT the 1st resolver queried (& it can be sped up even MORE than the default with a simple registry file merge too, upping the IP stack's priority there over the defaults & disabling the faulty (in windows) slower usermode clientside DNS cache that FAILS with larger hosts files).
I've even AUTOMATED IT to make it as easy as possible, populating the threat blocking/adblocking data from 10 reputable sites in the security community via APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
APK
P.S.=> There's SORT OF an "exception" to your rule, in that yes, the filtering slows me SOME, but I get back a HELL OF A LOT MORE IN SPEED the ways I do above... it works & far more efficiently than browser addons (doing more than ANY SINGLE ONE OF THEM CAN for less for more speed, security, reliability, & anonymity online) OR locally setup DNS does, less wastefully... apk
Wasn't there some information published not too long ago that the NSA or CIA would intercept outbound network equipment and put their own components/software on them then ship them to their original destination? No news here, just the U.S. security apparatus at work.
That's a SWITCH, not a ROUTER. There are Tbit routers on the market, but they are not moving packets with a general purpose CPU.
And then for "remote management" they put a dialup modem on the console (or aux) port with a stupid simple password that isn't dependent on TACACS, etc. (because they need to be able to login when the network is fubar and cannot talk to those systems)
If I'm paying 500~thousands of dollars for a big Cisco router then is it so much to ask for the persistent memory to be a removable SD card? The only writable memory that persists on a reboot should be removable and scannable in a third party system. Pull the card, check it out... maybe flash replacement firmware to the card separately, then plug it back into the router.
I generally have this attitude with any firmware in any computer. Viruses are getting uploaded to them and how is the antiviral supposed to detect any of it?
I'd like this done with the BIOS firmware on motherboards and anything else in the machine that has firmware that can be flashed just by being connected to the computer.
Here someone will say "that will cost more money"... so the fuck what? You don't want that feature? Fine. You don't pay for it and you don't get it.
I'm quite happy to pay for it and I don't think it will be expensive. Look at all the bells and whistles we put on motherboards these days. Most of it costs you something like 5 or 10 dollars per feature. And here's the real sell point... if I can pull the firmware memory for every device capable of being infected... then I can guarantee a system is clean without junking it. Any other option is not going to give you certainty. This solution is the only way to ensure a complete purge of any infection. Its the only way to go.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Cisco IOS routers themselves have an "autosecure" command that is essentially wizard-style checklist that does indeed lock everything down pretty well by turning off everything that you don't think you need.
NXOS takes this a step further by having all features off by default, and you enable them as you need them.
Although IOS has a ton of services on by default (for example, eigrp, cdp) not all of them are actively listening unless you explicitly configure them, but still, turning them off is a good idea. IOS itself is somewhat of a holdover from the 80's where network security wasn't seen as being as big of a deal as it is today, and Cisco is resistant to making big changes like that. (Strangely, Cisco sees fit to continue IOS instead of using NXOS on all of its devices from now forward.)
I've been running my own successful business for about a decade I've been at this field for longer than you and on more levels by far in computing. You see, I know You just got out of school for Pete's sake rookie. Yes, that's right, I know that (thank your post history for that much rookie). Keep making others rich. It's "noble work" your doing selling your life for peanuts.
Your post history showed it. Big bucks? Pal, you're selling your life for peanuts making others rich. You'll realize that a few years down the road after they've taken their 80++ hour work weeks out of you since your employers know they can since you're a noobie. I feel sorry for you in a big way. You're going to start hearing "you work too much and I don't matter to you" from your woman, assuming you have one (and if they care for you, not your wallet's thickness, you'll hear it) and wonder why. Mark my words. I've been there/done that. Get smart. Start your own show.
That's what they teach in Cisco school, that you should be able to manage your entire enterprise from your desk. An instructor told us that you should use the same logon credentials throughout your enterprise because maintaining a full list was "impossible". Even on Cisco's enterprise management software there was no provision for expiring or rotating admin credentials, and the CCNIdiots gave me a puzzled look when I asked about it because they "couldn't imagine why anyone would ever want to do that."
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
No, how about we just replace IOS? The hardware's perfectly fine, it's just Cisco's OS that is an unmitigated piece of rotting carp.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
One slot, eight Ethernet ports. It's ISA, and the ports are 10 Mb/s. Old is new again.
Fascinating. What an epic fail. I guess Cisco really does not understand security at all. Or they have some collaboration with the NSA to make sure that compromising one system (the network admin's) is enough to get into everything.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
He made the point. Your post was useless.
You're a wageslave that works for others who pay you peanuts by comparison to profits they make from your efforts and they don't lift a finger compared to what you're doing and what they ought to pay you is far out of line with what you're actually netting. I don't get that ripoff anymore. I went into business for myself, and my time is mine not some slavemasters, and so far the profits (all mine). You'll wise up to it eventually. Of course, you've got to save up and have the means to do what I did first. Start your own business instead of making others wealthy.