Mandiant, the computer forensic arm of cybersecurity firm FireEye, has uncovered secret cyber attacks targeting routers made by Cisco.
The highly sophisticated and stealthy malware software, called SYNful Knock, was implanted in Cisco routers across Ukraine, Philippines, Mexico, and India, FireEye said in a blog post yesterday (Sept. 15).
By implanting routers with malicious software, hackers can potentially gain access to a great number of other hosts and vast amounts of critical data since routers maintain critical positions on the boundaries and within the core of networks, FireEye explained.
Altogether, the Mandiant team has identified 14 instances of SYNful Knock on vulnerable Cisco routers.
Routers remain an attractive target to hackers because they do not operate within the perimeter of cyber threat detection services like firewalls, anti-virus, behavioral detection software and other tools used to protect data traffic, Reuters reported.
In Cisco’s Software Integrity Assurance statement, the company explained the privileged position cyber attacks could gain by compromising an infrastructure device such as a router.
“In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices’ privileged position within the IT infrastructure,” Cisco said.
Unfortunately, FireEye suspects that routers will remain a likely target for hackers, noting that SYNful Knock is “just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor).”
“If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye CEO Dave DeWalt told Reuters.
“This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool,” DeWalt said.
According to Reuters, Cisco alerted its customers to the attacks last month and said the security was in no part due to a lapse in its software but instead was caused by the hackers stealing valid network administration credentials.
“We’ve shared guidance on how customers can harden their network, and prevent, detect and remediate this type of attack,” Cisco said in a statement.