Cisco router break-in

cisco_blue_logo

Cisco routers are reported to have been broken into.

The Reuters report is an interesting read.

It should be noted that Cisco says the break ins were not because of vunerabilities in the Cisco IOS. It appears that either admin passwords were stolen probably thru social engineering OR physical access was gained.

The main suspects are the US, Britain, Israel, Russia and China.

What I am curious about is how additional software, apparently called “SYNful”, can be implanted into the Cisco IOS.

 

===============================================================

http://www.reuters.com/article/2015/09/15/us-cybersecurity-routers-cisco-systems-idUSKCN0RF0N420150915

Security researchers say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the Internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected.

In the attacks, a highly sophisticated form of malicious software, dubbed SYNful Knock, has been implanted in routers made by Cisco (CSCO.O), the world’s top supplier, U.S. security research firm FireEye (FEYE.O) said on Tuesday.

Routers are attractive to hackers because they operate outside the perimeter of firewalls, anti-virus, behavioral detection software and other security tools that organizations use to safeguard data traffic. Until now, they were considered vulnerable to sustained denial-of-service attacks using barrages of millions of packets of data, but not outright takeover.

“If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye Chief Executive Dave DeWalt told Reuters of his company’s discovery.

“This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool,” DeWalt said.

The attacks have hit multiple industries and government agencies, he said.

Cisco confirmed it had alerted customers to the attacks in August and said they were not due to any vulnerability in its own software. Instead, the attackers stole valid network administration credentials from targeted organizations or managed to gain for themselves physical access to the routers.

“We’ve shared guidance on how customers can harden their network, and prevent, detect and remediate this type of attack,” Cisco said in a statement.

CYBERSPIES SEEN RESPONSIBLE

Altogether FireEye’s computer forensic arm Mandiant has so far found 14 instances of the router implants in India, Mexico, Philippines and Ukraine, the company said in a blog post at bit.ly/1ObMm7u. It added that this may be just the tip of the iceberg in terms of yet-to-be-discovered attacks.

Because the attacks actually replace the basic software controlling the routers, infections persist when devices are shut off and restarted. If found to be infected, FireEye said basic software used to control those routers would have to be re-imaged, a time-consuming task for technicians.

Hitherto, infections of commercial routers, while not unknown, have largely remained theoretical threats, DeWalt said, as distinct from routers consumers use at home, which according to media reports have been hit by malware in recent years.

Experts reckon there are only a small number of nations with cyber intelligence services which are capable of such attacks on network equipment, including those of Britain, China, Israel, Russia and the United States.

“That feat is only able to be obtained by a handful of nation-state actors,” DeWalt said, while declining to name which countries he suspected might be behind the Cisco router attacks.

The malicious program has been nicknamed “SYNful” in reference to how the implanted software can jump from router to router using the device’s syndication functions.

Network logs from infected routers suggest the attacks have been taking place for at least a year, FireEye’s CEO said.

The implanted software, which duplicates normal router functions, could also potentially affect routers from other makers, DeWalt said.

Infected hardware devices include Cisco routers 1841, 2811 and 3825, FireEye said. Cisco had discontinued selling the products but still supports customers using them.

FireEye said it was only announcing its discovery after working with Cisco to quietly notify governments and affected parties. “We thought it was best to release this so everyone can fix their routers as fast as possible,” DeWalt said.

(Additional reporting by Joseph Menn in San Francisco; Editing by Louise Heavens and Greg Mahlich)

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *