Up until now, malicious attacks on commercial routers have only existed as a hypothetical possiblity. But this week security researchers have discovered the first backdoor attacks on Cisco routers across four countries that could mark the birth of a dangerous new threat to networks.
More than a dozen routers in four countries made by the world’s top supplier have been found to be infected by a persistent type of malware that gains direct control of an infected router, wrote security firm FireEye in a report published on Tuesday.
Altogether FireEye’s computer forensic arm Mandiant has so far found 14 instances of the router implants in India, Mexico, Philippines and Ukraine, but it said that this may be just the tip of the iceberg in terms of yet-to-be-discovered attacks.
The highly sophisticated form of malware, dubbed SYNful Knock, has been called ‘the ultimate cybercrime tool’ by FireEye CEO Dave DeWalt, because of its ability to replace the basic software controlling the routers, meaning that infections persist even when devices are shut off- and because the router’s position in the network makes it the ideal target for re-entry or further infection.
‘The impact of finding this implant on your network is severe,’ said FireEye, ‘and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.’
Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication – FireEye said that network logs suggest the attacks have already been carried out for at least a year.
The malware can potentially infect other makes of router.
‘It should be evident now that this attack vector is very much a reality and will most likely grow in popularity and prevalence,’ said FireEye’s blog. It added that it would be examining methods used to passively and actively detect the implant in further blog posts.
Lamar Bailey, vulnerability and exposures team leader at cyber security firm Tripwire explained how attacks on routers are particularly attractive for those wanting to commit corporate espionage because routers operate outside the perimeter of firewalls, anti-virus and other security tools which organisations around the world use to safeguard data traffic.
> See also: Six tips for securing your wireless router
‘Routers are one of the Holy Grail targets for attackers because they lie outside of many normal security protections,’ said Bailey. ‘It appears that attackers have targeted specific routers and firmware versions and they are able to gain access to the routers via weak or default credentials. Once the router is compromised they overwrite the firmware with modified, malicious versions designed to run on the specific hardware.’
Tripwire explained that it’s likely that these attackers have either bought these routers new or purchased used ones off eBay in order to reverse engineer the firmware and create malicious versions.
‘Modifying firmware for your own needs or to add new features is a common practice and has been used to great success on home routers and access points.’
‘This is just the same practice used on a grander scale in order to facilitate cybercrime. The new firmware operates like the original but has some added features that allow the attackers to snoop on the traffic passing through the device.’
In order to protect themselves, Bailey added, organisations need to tightly control access to their routers, use strong passwords, and monitor them closely for configuration changes that can indicate compromise.