Slashdot Mirror
Attackers Install Highly Persistent Malware Implants On Cisco Routers
itwbennett writes: Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on Cisco business routers in four countries. The router implant, dubbed SYNful Knock, implements a backdoor password for privileged Telnet and console access and also listens for commands contained in specifically crafted TCP SYN packets — hence the name SYNful Knock. In the cases investigated by Mandiant the SYNful Knock implant was not deployed through a vulnerability, but most likely through default or stolen administrative credentials.
ACK! That pun was SYNful too!
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Cisco already published security advisory on that a month ago:
http://tools.cisco.com/securit...
Attackers required either valid admin credentials or physical access to device to replace firmware. Such attacks were understood for a long time.
Nevertheless it's interesting to observe increase in attacks against infrastructure itself, rather than bandwidth.
I am by no means a tech geek, but I have DD-WRT on my routers because ...
No offence but the fact that you are comparing your DD-WRT home router with a Cisco infrastructure device and asking why we trust these vendors really highlights your comment.
Hardware wise there is no comparison between Cisco business & infrastructure devices and what people normally load a variant of Linux on. I'm not saying it couldn't be done, but the Cisco IOS (and Juniper's OS) is an extremely specialized OS designed along with the hardware to serve a specific function.
Now I will say that lately they are moving to more modular application based products (layer 4+) which are far more software based on marked up hardware, but for Core routers and switches (later 2/3 devices) there isn't really a quality substitute other than like in kind vendors hardware. At this point you just can't really "build your own" hardware and OS combo which can truly compete and be open source at the same time.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Hyperbole much?
Yes, we ALWAYS do, EVERY time, without fail and without exception.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Difference between factory reset and completely replacing the NVRAM, perhaps?
www.wavefront-av.com
Routers don't typically get the same level of security attention as employee workstations or application servers that companies actually expect to be attacked.
Well no, because you have them racked in a locked cage in a locked room in a restricted access Datacenter. You have network access restricted and strong authentication and logging/audit systems in place. It doesn't need much "security attention" because it's a hell of a lot easier to harden than a user workstation and has far fewer "attack surfaces" compared to an application server.
They're not protected by firewalls
Show me an Enterprise or Carrier grade router which doesn't have a firewall. They all have them, whether or not they're enabled along with other security policies, access lists, etc. is a matter of who is in charge of them.
and don't have antimalware products
Of course they don't. Why the fuck would they? They ought to be running a signed image file from the manufacturer, which is trivial to validate if you're THAT concerned about it.
Problem solved... Just be careful about administrative access controls...
Now I know a bunch of folks who don't lock down their Cisco gear before they put it into production and they get what they deserve. But for Pete's sake, you simply MUST protect your equipment and that means keeping control of administrative credentials on these systems. Personally, I'd have all primary network equipment on a totally separate network infrastructure in the first place so the general population at a site didn't have direct access to the network equipment administrative interfaces, PLUS I would be very careful about who had access to both the network and credentials necessary to access the equipment. Not to mention I'd pretty much lock down the TFTP resources on that network so only approved and fully vetted firmware ever got where it could be flashed.
I worked for a company that didn't password protect their Cisco VTP domain on their switches or change the default admin passwords and used telnet consoles. Yea it was easy to add a switch, just wire the thing up and volia you got the VTP domain configuration pushed, worked great until an employee plugged in a factory fresh switch and deleted all the VLANS he saw on it. He unknowingly wiped the whole company's switching fabric clean (without backups, even in hard copy). It took 3 days to recover, during which time little business got done. They where extremely stupid.
So, if you don't at least override the administrative defaults or don't manage your administrative credentials carefully, you are stupid and you get what you deserve in my book.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I think you're on the right track. There's a methodology underway that has enough momentum that it's got it's own buzzword: SDN -- Software Defined Networking
it uses the very architecture you're suggesting: essentially a bunch of PCI cards working to form a network switching matrix.OpenFlow is a standardized communications interface for controlling systems like SDN. Interesting reading.
To Copy from One is Plagiarism; To Copy from Many is Research.