Slashdot Mirror
Attackers Install Highly Persistent Malware Implants On Cisco Routers
itwbennett writes: Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on Cisco business routers in four countries. The router implant, dubbed SYNful Knock, implements a backdoor password for privileged Telnet and console access and also listens for commands contained in specifically crafted TCP SYN packets — hence the name SYNful Knock. In the cases investigated by Mandiant the SYNful Knock implant was not deployed through a vulnerability, but most likely through default or stolen administrative credentials.
One could consider that it was a NSA tool that was re-appropriated by criminals that discovered it.
Only an idiot exposes a Linux box directly to the Internet.
Does anybody know why this is HIGHLY PERSISTENT?, a firmware update wouldn't fix the issue?
ACK! That pun was SYNful too!
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
From TFA: "Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked. They're not protected by firewalls and don't have antimalware products running on them."
Huh?
Last time I checked the whole point of the router was that it's a limited-purpose device and it's management access was highly restricted, both in terms of credentials to access the management interface and of the networks that the management interface will communicate with.
Do not look into laser with remaining eye.
It's about time everyone had a long hard look at the software in their systems. Are they open enough for you to make the necessary fix should a problem arise?
I am by no means a tech geek, but I have DD-WRT on my routers because I can actually change the things I need the router to do. Disabling features in the interest of making more money in a higher end model is kinda dickish, but when you realize that the same dickishness (pardon the crude grammar) is likely responsible for hardcoded logins, it's a sad state of affairs.
Oh well.
-
Cisco already published security advisory on that a month ago:
http://tools.cisco.com/securit...
Attackers required either valid admin credentials or physical access to device to replace firmware. Such attacks were understood for a long time.
Nevertheless it's interesting to observe increase in attacks against infrastructure itself, rather than bandwidth.
Hyperbole much?
Yes, we ALWAYS do, EVERY time, without fail and without exception.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
So your fix is to replace Cisco appliances entirely with PCs. Could you point me towards a PC offering 60 Tbit/s of switching capacity? Heck, can you point me towards a standard PC that can push 60 Tbit/s through the processor?
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/datasheet-c78-729404.html
Difference between factory reset and completely replacing the NVRAM, perhaps?
www.wavefront-av.com
Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked.
Well no, because you have them racked in a locked cage in a locked room in a restricted access Datacenter. You have network access restricted and strong authentication and logging/audit systems in place. It doesn't need much "security attention" because it's a hell of a lot easier to harden than a user workstation and has far fewer "attack surfaces" compared to an application server.
They're not protected by firewalls
Show me an Enterprise or Carrier grade router which doesn't have a firewall. They all have them, whether or not they're enabled along with other security policies, access lists, etc. is a matter of who is in charge of them.
and don't have antimalware products
Of course they don't. Why the fuck would they? They ought to be running a signed image file from the manufacturer, which is trivial to validate if you're THAT concerned about it.
they are riding what is probably already there, in the target network.
... is why all* devices where the end user reasonably expects that he "owns/controls" the device need to have a way for end users to do a "real" factory-reset.
*Super-cheap devices which are literally cheaper to replace than manage may be exceptions. With the "Internet of things" you may see future "smart" devices that cost less than $1 to replace.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
show us the infection! I suspect it's in the bootroms (rommon), and it can insert into any IOS during the unzipping of IOS into ram (#######) ..
Problem solved... Just be careful about administrative access controls...
Now I know a bunch of folks who don't lock down their Cisco gear before they put it into production and they get what they deserve. But for Pete's sake, you simply MUST protect your equipment and that means keeping control of administrative credentials on these systems. Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place so the general population at a site didn't have direct access to the network equipment administrative interfaces, PLUS I would be very careful about who had access to both the network and credentials necessary to access the equipment. Not to mention I'd pretty much lock down the TFTP resources on that network so only approved and fully vetted firmware ever got where it could be flashed.
I worked for a company that didn't password protect their Cisco VTP domain on their switches or change the default admin passwords and used telnet consoles. Yea it was easy to add a switch, just wire the thing up and volia you got the VTP domain configuration pushed, worked great until an employee plugged in a factory fresh switch and deleted all the VLANS he saw on it. He unknowingly wiped the whole company's switching fabric clean (without backups, even in hard copy). It took 3 days to recover, during which time little business got done. They where extremely stupid.
So, if you don't at least override the administrative defaults or don't manage your administrative credentials carefully, you are stupid and you get what you deserve in my book.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Well, that is the way people with an actual clue set it up. They may only ssh to the box with everything else off and a limited IP-range allowed for the source, or may use the serial port, via direct connection ("go there") or a hardened terminal server.
Unfortunately, many networking people are cheap and clueless and do what is most convenient. This is really the fault of management that hired cheaper than possible personnel, as has gotten so common in IT these days.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
My theory is this this is on the top of the box, in contrast to "lowly persistent", which would be on the bottom of the box. It is always goo to know where in the vertical hierarchy everything is!
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You don't have your router's admin interface limited to the admin VLAN, locked down to SSH with keys, and restricted the admin VLAN to VPN access or devices with no internet access?
Last time I checked the whole point of the router was that it's a limited-purpose device and it's management access was highly restricted, both in terms of credentials to access the management interface and of the networks that the management interface will communicate with.
Yes, and they typically don't have anti-virus or get as much scrutiny as a workstation. What's your point?
The thing is, a telnet server can be done in very little code. An SSH server is a whole different sort of beast. And in fact, telnet is adequate here, just use a good password. If somebody is snooping on the connection, chances are they already know of the compromise and you are not telnetting into the box you think you are.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Great point, but to drive it home further, Cisco and Huawei both have core routers with petabit label routing.
The amount of RAM's the biggest difference and software to address it. Nothing more.
So you say that cisco routers and home pcs have the same video cards, the same USB subsystems, the same power supplies? This is great, I'm looking forward to playing some high performance video games on a cisco router.
no, they are not. routers do packet filtering in hardware
certainly you can route with a PC, but without hardware filtering, you're slowing down the traffic
A very low-end Cisco router could be described as "dual NIC/dual homed pc's with RAM + an OS." Most Cisco routers can take modules and WAN cards to expand their functionality beyond the one or two built-in NICs. Some Cisco routers don't even have NICs, just module and/or WAN slots.
http://www.cablesandkits.com/cisco-modules-c-50_83.html
True.
However, these devices are typically on their own private networks that only has traffic on it from 'authenticated users' to start with. So the idea is that you don't run SSH on this device that has so little GP computing power that you'll watch and wait for your characters to echo back at you while they are encrypted/decrypted and instead just use a less secure layer 3 protocol because you already trust layer 2 implicitly
Most routers/switches have only the most rudimentary process for general purpose things like handling SSH or telnet console sessions. They are designed with massive ability to route packets, but not massive ability to use them for other purposes. Routers and switches are REALLY FREAKING FAST at looking up numbers in a table and picking a place to put the data based on that. Beyond that, most are pretty feeble.
Now days its a little different than it used to be, even 'feeble' routers are to the point where theres enough CPU for SSH to work nicely.
Then there is simplicity. You want to be able to talk to your router when you need to, when it is the least functional that it can possibly be. Once connected, using telnet is hardly different than a serial connection. Using SSH is radically different due to the requirement for both symmetrical and asymmetrical encryption for various stages of the connection. You can do telnet in a small number of lines of assembly fairly easy if you have a TCP stack available. It can be done inside the PANIC kernel for crash diagnostics and run off a small, already reserved memory buffer with no dynamic allocations. Yea, you can do it with SSH, but its just not worth it to introduce all that complexity and bugs ... when the device is only supposed to be listening on a 'secure' network.
Everything supports telnet. Fewer things support SSH. If you're building up from ground zero today, only using SSH is probably fairly easy. Not so much even just a few years ago, so theres going to be a LOT of legacy non-ssh capable devices out there.
Did you know that there are some blade servers (I just inherited some leftovers from work and discovered this) that have NO password on there management buses for telnet? You can just connect to that IP and poof, you're in and an admin. You can't even turn on authentication. Of course, its an internal bus, the machine uses itself to communicate between different devices in the blade chassis like switches, storage control modules and the blades themselves. And unless you're stupid or experimenting (like I was) that internal network is never exposed to the rest of the world, so passwords on it are pointless and actually more of a problem than anything. But it is possible for you to destroy that private network if you did down deep enough in the switch settings and setup some vlan trickery. This is not a bug or a exploit and it is not insecure unless you make it so.
So contrary to what you've heard from armchair security experts, using telnet isn't always a bad thing. Theres more to the system than just telnet that has to be considered.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I'll show you 50% of the Fortune 100 where I can SSH directly to a switch or router with no jump server in the dat path. I know of one organization where from a desktop I can SSH to over 75,000 network devices unfettered... dg
The discussion was about routers not protected by firewalls. Most home "routers" are firewalls. that being said, my above post is how I have my home network setup.
Can your old PC can do what a $17,500 Cisco router can do?
The Cisco 4451-X offers a multicore CPU architecture running modular Cisco IOS XE software that dynamically adapts to the changing needs of your branch-office environment. The separation of the control and data planes provides the ability to deliver application-aware network services while maintaining a stable platform and a high level of performance during periods of heavy network load. With the ability to integrate application-aware services and the ability to scale performance without a complete equipment upgrade, the Cisco 4451-X offers exceptional total cost of ownership (TCO) savings and network agility through the intelligent integration of market-leading security, unified communications, and application services.
https://www.cdw.com/shop/products/Cisco-4451-X-Integrated-Services-Router-Application-Experience-with-Voice/3641687.aspx
I guess all these Fortune 500 companies are doing it all wrong. I did a project at a Google data center where the equivalent $1M Cisco router was implemented with high-performance network parts that took up two rows of equipment racks. The heart of that setup is a fiber optic switch that cost $30,000 and came in a hard shell box with two feet of form on each side. That setup was less expensive and less finicky than the $1M Cisco router.
Most Cisco routers ARE NOT about basic routing. If it was, they would be out of business. You can keep beating this drum but you're obviously clueless of the differences between a DIY router and an enterprise router.
I'll show you 50% of the Fortune 100 where I can SSH directly to a switch or router with no jump server in the dat path.
Sounds interesting. Please proceed!
Actually, I'm a senior system admin for 80,000 systems.
"routers do packet filtering in hardware"
Every 82599 network card in my PC does hardware-level packet filtering, try again.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
http://www.ntop.org/products/p...
Okay, there you go.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I read the other comments. You still haven't changed my mind that you're clueless.
That's why I get paid the big bucks. ;)
The point is that routers are far more secure and more easily secured than workstations. How does your breaking the law 75,000 times via a secure mechanism that you somehow managed to acquire or illegally retain authenticated access to refute the point?
If you can deliver a product that is easier to maintain and cheaper than the largest network gear provider to have ever existed, why aren't you a billionaire via eating Cisco's lunch?
The $1M Cisco router doesn't take up two rows of equipment row, but it does require very precise wiring between internal components and has a PITA reputation to maintain. Google workaround to that is to implement the same router functionality with standard equipment. This is slightly more expensive than a single router, easier maintain in the long run and allows the implementation of newer technologies to replace existing parts when they become available.
No, I worked at a Google data center where they implemented their version of the $1M Cisco router. Most shops I worked for are Fortune 500 companies that buy a lot of Cisco equipment. I'm not in the SOHO market like you.
I spent the last decade doing IT support contract work and making 80% more money than the poor schmucks who stayed in one job and earned 2% raises. So what?
That's a SWITCH, not a ROUTER. There are Tbit routers on the market, but they are not moving packets with a general purpose CPU.
Don't you get tired making circular arguments with yourself? This is Slashdot, not Politico.
And then for "remote management" they put a dialup modem on the console (or aux) port with a stupid simple password that isn't dependent on TACACS, etc. (because they need to be able to login when the network is fubar and cannot talk to those systems)
They're the same command, moron. And this is done via a "BIOS" (ROMMON) hack. That is as undetectable as anything can get in a Cisco device. (since there's no way to read it back)
If I'm paying 500~thousands of dollars for a big Cisco router then is it so much to ask for the persistent memory to be a removable SD card? The only writable memory that persists on a reboot should be removable and scannable in a third party system. Pull the card, check it out... maybe flash replacement firmware to the card separately, then plug it back into the router.
I generally have this attitude with any firmware in any computer. Viruses are getting uploaded to them and how is the antiviral supposed to detect any of it?
I'd like this done with the BIOS firmware on motherboards and anything else in the machine that has firmware that can be flashed just by being connected to the computer.
Here someone will say "that will cost more money"... so the fuck what? You don't want that feature? Fine. You don't pay for it and you don't get it.
I'm quite happy to pay for it and I don't think it will be expensive. Look at all the bells and whistles we put on motherboards these days. Most of it costs you something like 5 or 10 dollars per feature. And here's the real sell point... if I can pull the firmware memory for every device capable of being infected... then I can guarantee a system is clean without junking it. Any other option is not going to give you certainty. This solution is the only way to ensure a complete purge of any infection. Its the only way to go.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Cisco IOS routers themselves have an "autosecure" command that is essentially wizard-style checklist that does indeed lock everything down pretty well by turning off everything that you don't think you need.
NXOS takes this a step further by having all features off by default, and you enable them as you need them.
Although IOS has a ton of services on by default (for example, eigrp, cdp) not all of them are actively listening unless you explicitly configure them, but still, turning them off is a good idea. IOS itself is somewhat of a holdover from the 80's where network security wasn't seen as being as big of a deal as it is today, and Cisco is resistant to making big changes like that. (Strangely, Cisco sees fit to continue IOS instead of using NXOS on all of its devices from now forward.)
Are you jealous that I'm enjoying my peanuts while you're slinging monkey poo to hide the fact that you're unemployable?
You are an intentional troll aren't you? You say one thing, then refute it with another, are called out on your inconsistency and the best you have is an unsolicited personal attack.
You're trolling me with your circular arguments, misrepresentations of what I wrote and personal attacks against me. You can't even reply to correct comment! If you're complaining about being an AC on /., turn in your geek creds and don't let the door hit your ass on the way out.
That's what they teach in Cisco school, that you should be able to manage your entire enterprise from your desk. An instructor told us that you should use the same logon credentials throughout your enterprise because maintaining a full list was "impossible". Even on Cisco's enterprise management software there was no provision for expiring or rotating admin credentials, and the CCNIdiots gave me a puzzled look when I asked about it because they "couldn't imagine why anyone would ever want to do that."
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
No, how about we just replace IOS? The hardware's perfectly fine, it's just Cisco's OS that is an unmitigated piece of rotting carp.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
I only work 40 hours a week from 7:00AM to 3:30PM (1/2 hour lunch), as specified in my contract. The last time I worked 80 hours a week was ten years ago. I've been doing I.T. support for 18 years. If you're smart (which I doubt), you wouldn't reply to this comment.
Ah, but this isn't a standard advanced persistent threat, this is a new leading progressive radical extreme foremost precedent-setting brilliant smart flexible wide-scope refined intense dazzling acute severe maximum ultimate persistent threat.
(That's a standard APT, but machined from aircraft-grade aluminium, and painted tactical black).
Fascinating. What an epic fail. I guess Cisco really does not understand security at all. Or they have some collaboration with the NSA to make sure that compromising one system (the network admin's) is enough to get into everything.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Or I can work 40 hours a week with great benefits and run my business on the weekends. Paying the bills AND making extra money. Woo-hoo!
And when you issue that command, what interprets it? Has that code that interprets the command been compromised? Are you sure?
www.wavefront-av.com
I can't recommend a specific router. However, I typically go with the business-class routers. Although more expensive than a home-class router, they have more features and last longer. I had too many home-class routers die on me. Never a good thing if you're working from home.