SYNful Knock router exploit isn’t going away soon

Stealth of malware speaks to sophistication of creators, researchers says

The SYNful Knock compromise of routers can implant software that creates backdoors to let attackers return over and over, a sophisticated endeavor that demonstrates the ingenuity of its creators, according to a member of the team that discovered the attack in the wild.

The software has features that enable it to stay hidden within networks so it can be updated and new attack modules can be downloaded for long periods of time, according to FireEye researchers.

“The impressive portion of the attack is the implant and not the delivery,” says Tony Lee, technical director at FireEye. “This sort of implant would take significant skills to produce and go undetected for so long.”

And, Lee says in an email response to questions, it’s not going away any time soon. “Unfortunately, there is no permanent fix,” he says. “Attackers will modify their techniques and defenders will do the same. This is an issue that will not go away. In fact, it will very likely increase in sophistication and we should be ready for it.”

The attack was delivered to routers via stolen legitimate credentials, an effective but straightforward means of gaining access to a machine.

More sophisticated was the way it hid itself to avoid standard detection efforts. The implanted software installed a modified IOS image on the machines, and persists on the machines even after the devices are rebooted, the FireEye researchers say.

In addition, SYNful Knock masks the presence of malware it deposits on the compromised router by overwriting little used functions. “To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code,” the researchers say. “The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.”

FireEye discovered SYNful Knock at work on 14 Cisco routers in the wild, but warned that the same type of exploit could be carried out against any router.

And once it’s installed, attackers can work long-term to compromise other machines on the routers’ networks to carry out theft or attacks that cripple networks, Lee says in response to emailed questions. “Theoretically, because of the routers privileged position, the implant could be used for anything from denial of service to data theft,” he says.

“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems,” FireEye researchers say in their blog.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoFireEye

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts