Network security company FireEye has reported a hack called SYNful Knock that modifies the firmware on some Cisco routers letting attackers maintain a persistent presence in the victim’s router. According to the report, 14 such router implants were confirmed to exist in four different countries including India.
Cisco itself admitted to the hack and has published guidelines to help detect such attacks. According to this ibtimes report, FireEye claims that these routers are gateways to entire countries’ infrastructures and act as the ‘ultimate listening device’. Interestingly, the report further mentions that due to the sophistication of the attack, only nations with enough resources and technical knowledge could carry it out, rather than individual users or private hacker groups. The company added that multiple countries are using the exploit to spy on other countries.
The affected routers are Cisco 1841, 2811 and 3825 routers, although FireEye mentions that other models are also likely affected based on the similarity in function and IOS (Cisco’s router OS) code base. Note that these attacks do not take advantage of any vulnerability as such, and instead require physical access or login credentials in order to install the backdoor. However, once installed, the backdoor lets attackers access all data flowing through the router.
Persistent and modular: The malicious firmware continues to persist on rebooting the router, and provides access to the attacker via a backdoor password through Telnet. The firmware can then be instructed to download other modules stealthily, although these modules are automatically removed on a reboot. The modules are enabled via HTTP (rather than HTTPS), and use customized TCP packets to communicate back and forth with the attackers.
What it does: The modified IOS firmware loads a sneaky network command and control solution that basically sends TCP header values and content back to the attacker. Other than reading the network status and traffic, the firmware can load an additional 100 modules on the victim router and contains five malicious commands: to return state of modules, allocate space for additional modules, download modules, activate modules and to delete them.
Pakistani firm cyber stealing: In March, a two year investigation by FireEye revealed that a Pakistani cyber security firm Tranchulas had reportedly been stealing information from the Indian government and defence establishments. According to FireEye, Tranchulas, which claims to have helped the Pakistani government prepare for cyber warfare, sent emails to Indian government officials containing malicious code.
NSA snooping: In June last year, we had reported that India may be working with the NSA to intercept email, chat, VPN data, VoIP and voice call records among others. This was also based on documents that were released by Edward Snowden. According to these documents, India is an “Approved SIGINT partner” with the NSA.
Another document leaked by Snowden showed that the Indian embassy in US was also monitored. The NSA used implants (sensors and recording devices), screen grabs, created images of disks and used ‘data from magnetic emanations’ to carry out the monitoring.