Major attack on Cisco routers: Protect your enterprise from SYNful Knock:
Security research firm FireEye announced September 15, 2015, a major vulnerability in Cisco IOS called Synful Knock and allows attackers to take control of enterprise-class routers, allowing attackers to monitor all network communications, and provide a way more easy to infect other network devices.
At the time of release, there are 14 known infected routers across India, Mexico, the Philippines and Ukraine. Routers known models affected include the Cisco 1841, 2811 and 3825 routers, which are products that are no longer sold by Cisco. In an interview with Reuters, CEO Dave DeWalt said FireEye based on logs from affected routers, attacks have continued since "at least a year."
According FireEye, similarities in basic features and IOS software indicates that other router models are likely vulnerable to this exploit.
How does this vulnerability
According to the bulletin published by FireEye:
The implant consists of a modified image Cisco IOS that allows the attacker to load different functional modules of the anonymity of the Internet. The implant also provides unlimited access door using a stolen password secret. Each of the modules are activated via HTTP (not HTTPS) using a specially designed TCP packets sent to the router interface. The packages have a nonstandard sequence and the corresponding acknowledgment numbers. The modules can manifest executable code or hooks as an independent in the IOS routers that offer similar functionality to the backdoor password. The backdoor password allows access to the router through the console and Telnet.
The implant persists on the restart, but the modules loaded by the attackers exist only in RAM, and therefore are cleared after a reboot. Routers concerned retain the basic features of routers, making the existence of infected systems hard to notice.
In FireEye bulletin on the vulnerability, that's how it breaks down the changes to the Cisco IOS binary in these four aspects:
- Edit Address translation buffer (TLB) read / write attributes
- Edit a legitimate function IOS to call and initialize the malware
- Overwrite legitimate protocol management functions malicious code
- Overwrite strings referenced by legitimate functions with strings used by the malware
How to detect and seal the vulnerable systems
In the position of Cisco vulnerability, the company said it added a Snort rule to detect the affected systems. Considering the object and the placement of routers on the network, it is advisable to check the devices connected to networks in which the vulnerability was exploited to further intrusion
The modules loaded by the implant does not persist across reboots. For forensic purposes, collection of modules requires a core dump. FireEye said detailed instructions on how to detect the implant are coming.
As vulnerability persists across reboots, the only available option is to flash the router with the new Cisco IOS image available for the device to ensure complete removal of the implant.
Who is responsible for this attack?
Persistent attacks on enterprise class routers have so far been mainly theoretical problems, such as using protection and security in these devices are very different routers for home users, which were found to have induced vulnerabilities suppliers.
In an interview with Reuters, DeWalt declined to speculate on the specific sources of the attack, but noted that "[This] feat is only obtainable by a handful of players in the nation state. "Reuters names on the intelligence services of Britain, China, Israel, Russia and the United States as having the technical capability to orchestrate such an attack
No comments:
Post a Comment
Note: only a member of this blog may post a comment.