Security researchers have uncovered rogue malware on Cisco enterprise routers that persists even after a router has been restarted.
Mandiant's team discovered the SYNful Knock implant on business routers in four different countries and when researching it realised that it differs from the malware found on many consumer routers as it doesn't disappear when the device is restarted.
"Finding backdoors within your network can be challenging; finding a router implant, even more so," the FireEye-owned company explained. "The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead."
The implant itself is made up of a modified Cisco IOS image and Mandiant thinks that the malware made its way onto routers not because of a vulnerability but due to default or stolen administrative credentials. Modifications to the firmware image were such that they were done to specifically keep the size identical to what was there before and therefore avoid detection.
Once it's on the router, the firmware creates a password for Telnet and console access and listens for exact commands in TCP and SYN packets.
No longer on sale
Cisco 1841, 8211 and 3825 "integrated services routers" are affected, which are normally used by businesses or providers of managed network services, and the firmware has so far been found on 14 routers in Mexico, Ukraine, India and the Philippines. None of the models mentioned, however, are still being sold by Cisco.
The news will be worrying for Cisco and businesses at large because any router hacks have the ability to allow attackers to wrest a high level of control over network traffic, the ability to connect users to fake sites and attack any other devices that connect to the router.