US security research firm FireEye has discovered attacks by a bug dubbed SYNful Knock, on Cisco routers in India, Ukraine, Mexico and the Philippines. It allows hackers to have access to large amounts of data, even as it goes undetected by current cyber-security programs.
SYNful Knock replaces the existing operating software in the Cisco routers. It modifies the OS to maintain a customizable presence in the devices, meaning it can be updated once it finds a way in. A report by Mandiant, the computer forensic arm of FireEye, asserts that over 14 cases of router implants have been detected in the four countries mentioned above.
The computer logs from the affected devices suggest the attacks have been going on for a year. In a blog post, Cisco confirmed that it’s alerted customers vulnerable to the malicious software. The company is currently working with Mandiant to develop ways to detect SYNful Knock.
If it is found, the person will have to re-image the OS used to control their routers. Cisco claims the malware did not bypass any vulnerability in its own software, but instead stole network administration credentials or gained physical access to the targeted router. As per their data, the infected devices have been used to attack multiple businesses and government agencies.
Also See: Cyber campaign by Chinese hackers targeting India to get intelligence data
Dave DeWalt, Chief Executive at FireEye, explained that once SYNful gains control of a router, the hackers behind it own all the data processed by the organization. They can use it for their own purposes to direct traffic around the internet. The routers are vulnerable to such attacks as they function outside the protection of commonly used anti-virus software.
Most security tools offer no safety from such attacks, as it has been unheard of till now and only existed in theory. DeWalt thinks the implanted SYNful Knock software could potentially infect routers apart from those by Cisco in the future.