The SYNful Knock compromise of routers can implant software that creates backdoors to let attackers return over and over, a sophisticated endeavor that demonstrates the ingenuity of its creators, according to a member of the team that discovered the attack in the wild.
The software has features that enable it to stay hidden within networks so it can be updated and new attack modules can be downloaded for long periods of time, according to FireEye researchers.
“The impressive portion of the attack is the implant and not the delivery,” says Tony Lee, technical director at FireEye. “This sort of implant would take significant skills to produce and go undetected for so long.”
And, Lee says in an email response to questions, it’s not going away any time soon. “Unfortunately, there is no permanent fix,” he says. “Attackers will modify their techniques and defenders will do the same. This is an issue that will not go away. In fact, it will very likely increase in sophistication and we should be ready for it.”
The attack was delivered to routers via stolen legitimate credentials, an effective but straightforward means of gaining access to a machine.
More sophisticated was the way it hid itself to avoid standard detection efforts. The implanted software installed a modified IOS image on the machines, and persists on the machines even after the devices are rebooted, the FireEye researchers say.
In addition, SYNful Knock masks the presence of malware it deposits on the compromised router by overwriting little used functions. “To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code,” the researchers say. “The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.”
FireEye discovered SYNful Knock at work on 14 Cisco routers in the wild, but warned that the same type of exploit could be carried out against any router.
And once it’s installed, attackers can work long-term to compromise other machines on the routers’ networks to carry out theft or attacks that cripple networks, Lee says in response to emailed questions. “Theoretically, because of the routers privileged position, the implant could be used for anything from denial of service to data theft,” he says.
“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems,” FireEye researchers say in their blog.