Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.

Re:How to detect?

[skids]

Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?

Sure, but really smart advanced threats could do very hard to detect things like encoding CNC signals in packet latency or preferential ordering between streams. Basically you either have to discover and dissect an attacker's inserts because they screw up and tip you off that something is wrong, or do something stupid like sell their inserts on the dark web before they are done using them themselves.

Have the desktop OS and AV able to scan the router from the network?

If you know what you are doing, you limit control-plane communication on your more important nodes tightly. Plus desktop OS and AV don't usually have a rich signature set for anything but Intel processors. Also the only way to really "scan" a running router's software is to snoop the busses to get snapshots of the RAM... which given the hardware is not commodity kit, is not usually done. No $80k/year net tech is going to try to attach JTAG or bus analyzers to a $20,000 production router blade. Sure you can ask the router to dump RAM (or ROM, but since routers tend to stay up 24/7 RAM-only inserts are probably pretty common) if you can find the vendor's secret commands, but then it could just lie to you. Or crash because the debug command set isn't QAd nearly as well as the provisioning command set.

The problem will get worse: these devices are getting more and more features that interact with payload traffic... the attack surface is expanding every year. And, with the push to SDN and zero-touch deployment features, more of the guts are being exposed to management stations, which are not notorious for being well secured let me tell you.

(BTW, pro tip: giving a nessus station access to read the router config files live off the infrastructure devices is putting an awful lot of trust in the integrity of a workstation running a giant amount of hastily cobbled code. Nessus has an offline mode for router config file analysis. Strip your crypts and set up a secure rsync from your config backup server.)