A serious vulnerability found in Cisco routers is far more widespread than at first thought, with nearly 200 IP addresses now affected in over 30 countries worldwide.
The networking giant said it is working with security intelligence firm Shadowserver to scan customers for Indicators of Compromise (IOCs) related to the SYNful Knock threat detected by FireEye last week.
SYNful Knock is a “stealthy modification” of router firmware made possible by flashing a modified ROMmon image, according to the security giant.
Originally it was thought that the threat affected only 14 victims across four countries – Ukraine, Philippines, Mexico and India.
However, the latest research reveals over 60 affected IPs in the US, over 10 in Russia and India, and then a long tail of other victims in China, Thailand, Poland and elsewhere.
Notable by their absence are any European countries thus far.
Shadowserver is recommending that any compromised router is identified and remediated immediately.
FireEye had the following description of the threats:
“The initial infection vector does not appear to leverage a zero-day vulnerability. It is believed that the credentials are either default or discovered by the attacker in order to install the backdoor. However, the router’s position in the network makes it an ideal target for re-entry or further infection.”
In fact, it is suspected that a nation state could be behind the attack, given the sophistication required to reverse engineer the ROMmon image and the effort of installing it without a zero-day.
SYNful Knock not only gives the attacker highly privileged access – seeing all the data that flows in and out of the router – but they also get persistence, as it stays put on reboot.
Cisco has released a set of instructions for detecting and mitigating the threat. This involves hardening devices, instrumenting the network, establishing a baseline, and analyzing deviations from that baseline.