SYNful Knock backdoor for attacking routers: what is the problem and how to protect yourself

Representatives of the Mandiant company (owned by FireEye) this week published the results of a study of the security of Cisco routers. They managed to find a backdoor with the help of which attackers can carry out previously unknown attacks and collect large amounts of confidential data without attracting attention.
What is the problem
Backdoor called SYNful Knock (news about him has been Habré), and was found on dozens of routers around the world, including in Russia and Ukraine. Most infected routers were found in the United States (25 devices), followed by Lebanon (12), followed by Russia with 8 infected routers. Zmap

data
During the attack, attackers do not exploit any serious vulnerabilities in the device software. Instead, an implant is used - a modified image of the Cisco IOS operating system, which allows you to download functional modules from the Internet. The modules are initialized using HTTP (not HTTPS) and special TCP packets sent to the router interface.

In addition, using a password “wired” into a malicious OS image, attackers can gain remote access to the router through the console or telnet. Bookmarks are activated every time you restart the device. To replace the OS, stolen credentials and standard administrator passwords are used (users often forget to change the default password).
According to the researchers, the Cisco 1841, 2811, and 3825 routers are susceptible to attack . The company confirmed the presence of a problem on its blog .
Mandiant experts point out that the detection of a backdoor indicates a likely compromise of other systems, and not just routers - such devices usually work outside the perimeter of firewall protection and other means of protection, which makes backdoors especially dangerous for them.
Researchers suggest that infected routers could be used to organize attacks on a number of industrial and government organizations.
The described attack is similar to the method that Cisco employees themselves introduced in August this year. Then the company warnedclients that attackers can replace the ROMMON (ROM Monitor) firmware with a malicious copy. At the same time, no vulnerabilities were used, and hackers obtained access to the device using real credentials, which may indicate that employees of the organization-owner of the router or people who had physical access to the device participated in the attack.
Not only Cisco
The described attack is not specific to Cisco routers: in a similar way, network devices of various equipment manufacturers can be attacked. In particular, various researchers published information about hacking Juniper hardware firmware.
In addition, representatives of US intelligence agencies said that the Chinese manufacturer of network equipment Huawei helps in industrial espionage in favor of the Chinese government with the help of backdoors built into the firmware.
Also in September 2015, independent information security researchers published information on a number of zero-day vulnerabilities in FireEye products.
How to protect yourself
Despite the complexity of detecting the SYNful Knock backdoor, you can protect yourself using standard security tools - for example, the MaxPatrol security analysis system. To do this, the administrator needs to start Cisco IOS and calculate the checksum of the OS image:

Next, this checksum must be entered in MaxPatrol, after which the system will check for its compliance with the real value:

At first glance, the method seems complicated, because in large organizations the number of network devices can reach several thousand. However, even in this case, the unique images of the operating system are usually no more than a few dozen, and you can check them all pretty quickly.
There is another option for detecting SYNful Knock. To do this, the administrator needs to activate the checksum calculation of the OS image in MaxPatrol 8 using the requirements used above. After scanning Cisco IOS using MaxPatrol, you must configure dif-reports and image checksum change control.
The first method, which involves comparing with the values from the Cisco checksum set , is more efficient. However, given the fact that software changes do not occur so often, the use of dif-reports can also seriously minimize the risk of an attack. In this case, however, a scenario is missed in which the image can already be modified by cybercriminals, therefore Positive Technologies experts recommend using both methods.
We also asked Cisco representatives to comment on the discovery of the SYNful knock backdoor and provide recommendations on minimizing the risks associated with it.
Alexey Lukatsky, Cisco Business Security Consultant:
- The first generation of Cisco routers was sold in the amount of about 10 million copies. How serious is the problem encountered with 79 routers? This is not even a ten thousandth percent. And not to mention the fact that the generation affected by this problem was withdrawn from sales in 2010.
Fear [of this problem] is for those who do not have a service contract to support the purchased equipment and wanting to save, decided to download the new version of IOS not from the Cisco website. Fortunately, the number 79 shows that there are not many such companies. Of course, one should not discount the fact of malicious installation of such a modified network OS. But without understanding the affected organizations, it is premature to draw any conclusions about the targeted nature of such a threat.
To neutralize this threat, I would consider three possible scenarios. The first is to upgrade infrastructure equipment to the third generation of routers (ISR 4K) or at least the second (ISR G2), which are equipped with appropriate protection mechanisms against spoofing the IOS image and a number of other threats. The second scenario is to build a protective circuit around outdated models of network equipment from network security tools - IPS, ITU, means for monitoring abnormal activity, and also to control physical and network access to equipment. And finally, the third scenario is to implement the recommendations described in our guides on protecting IOS and monitoring its integrity. The best strategy is to combine all three scenarios.
Alexey Lukatsky, Cisco Business Security Consultant: