Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Install Highly Persistent Malware Implants On Cisco Routers

Posted by timothy on from the managers-value-persistence dept.

itwbennett writes: Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on Cisco business routers in four countries. The router implant, dubbed SYNful Knock, implements a backdoor password for privileged Telnet and console access and also listens for commands contained in specifically crafted TCP SYN packets — hence the name SYNful Knock. In the cases investigated by Mandiant the SYNful Knock implant was not deployed through a vulnerability, but most likely through default or stolen administrative credentials.

2 of 168 comments (clear)

  1. Re:Why do we still trust the manufacturer? by Amouth · · Score: 3, Insightful

    I am by no means a tech geek, but I have DD-WRT on my routers because ...

    No offence but the fact that you are comparing your DD-WRT home router with a Cisco infrastructure device and asking why we trust these vendors really highlights your comment.

    Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on. I'm not saying it couldn't be done, but the Cisco IOS (and Juniper's OS) is an extremely specialized OS designed along with the hardware to serve a specific function.

    Now I will say that lately they are moving to more modular application based products (layer 4+) which are far more software based on marked up hardware, but for Core routers and switches (later 2/3 devices) there isn't really a quality substitute other than like in kind vendors hardware. At this point you just can't really "build your own" hardware and OS combo which can truly compete and be open source at the same time.

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  2. Re:Router Security by Anonymous Coward · · Score: 5, Insightful

    Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked.

    Well no, because you have them racked in a locked cage in a locked room in a restricted access Datacenter. You have network access restricted and strong authentication and logging/audit systems in place. It doesn't need much "security attention" because it's a hell of a lot easier to harden than a user workstation and has far fewer "attack surfaces" compared to an application server.

    They're not protected by firewalls

    Show me an Enterprise or Carrier grade router which doesn't have a firewall. They all have them, whether or not they're enabled along with other security policies, access lists, etc. is a matter of who is in charge of them.

    and don't have antimalware products

    Of course they don't. Why the fuck would they? They ought to be running a signed image file from the manufacturer, which is trivial to validate if you're THAT concerned about it.