Network security company FireEye has reported a hack called SYNful Knock that modifies the firmware on some Cisco routers letting attackers maintain a persistent presence in the victim’s router. According to the report, 14 such router implants were confirmed to exist in four different countries including India. Cisco itself admitted to the hack and has published guidelines to help detect such attacks. According to this ibtimes report, FireEye claims that these routers are gateways to entire countries’ infrastructures and act as the ‘ultimate listening device’. Interestingly, the report further mentions that due to the sophistication of the attack, only nations with enough resources and technical knowledge could carry it out, rather than individual users or private hacker groups. The company added that multiple countries are using the exploit to spy on other countries. The affected routers are Cisco 1841, 2811 and 3825 routers, although FireEye mentions that other models are also likely affected based on the similarity in function and IOS (Cisco’s router OS) code base. Note that these attacks do not take advantage of any vulnerability as such, and instead require physical access or login credentials in order to install the backdoor. However, once installed, the backdoor lets attackers access all data flowing through the router. Persistent and modular: The malicious firmware continues to persist on rebooting the router, and provides access to the attacker via a backdoor password through Telnet. The firmware can then be instructed to download other modules stealthily, although these modules are automatically removed on a…
