• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • December 15th, 2019
  • Home
  • About Us
  • Team
  • Advertise
  • Submit News
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Google+
    • Linkedin
    • Youtube
Home » Security » Malware » Cisco Routers Vulnerable To Malware Attacks Via Backdoor Firmware Installation

Cisco Routers Vulnerable To Malware Attacks Via Backdoor Firmware Installation

September 15th, 2015 Farzan Hussain Malware, Security 0 comments
Cisco Routers Vulnerable To Malware Attacks Via Backdoor Firmware Installation
Share on FacebookShare on Twitter

It has always been believed that Cisco routers being used in the enterprise environment could be hacked via installation of backdoor firmware, but it was always just a theory.

Now, security researchers over at Mandiant, an American cyber security firm and a FireEye company, have confirmed that hacking of Cisco routers through backdoor firmware installations is possible and the researchers have found its presence on fourteen routers being used in organizations based in four different countries, namely Philippines, Ukraine, Mexico and India.

The malware being used to infect the routers is codenamed SYNful Knock, which silently modifies the router’s firmware image that provides attackers with private backdoor access to the infected network. This malware is not only flexible but also has the capability to customize itself and can be updated once installed on the router.

The attack remains undetectable and can remain challenging to detect because it makes use of a non-standard packets as a form of pseudo-authentication.

SYNful Knock is actually used to modify the IOS image being used by the Cisco routers. The researchers found that Cisco 1841, 2811, and 3825 are the three known affected routers. These routers are widely used by businesses and organizations to provide networked services.

However, it is believed that other Cisco routers using similar IOS image and core functionality could also be vulnerable to the firmware backdoor attacks.

The attack method being used by the hackers to infect and install the malicious firmware in the router is not exploiting a zero-day vulnerability, rather, researchers found out that the login credentials of the affected routers were revealed by the attackers or set to default.

Furthermore, the router is being used as a hub in the network that controls all the connected devices and computers, so this makes it an ultimate target for the attackers to further infect the network.

What SYNful Knock Malware Is Capable Of:

The router implant, SYNful Knock, comprises of an amended Cisco IOS software platform that allows the hacker to remotely load various functional modules directly from the anonymity of the Internet. The infected firmware also lets the attacker access router unrestricted through a secret backdoor password.

The functional modules that are loaded by the hacker can be enabled through the HTTP protocol, which has not been secured nor used a precisely developed TCP packets sent to the routers interface. These TCP packets use a modified sequence and consistent acknowledgment numbers.

The modules loaded into the router can self-manifest themselves as a self-governing executable code within the router’s IOS image that offer a very similar functionality as the backdoor password. These backdoor passwords allow hackers to gain access to the router through the Telnet and console.

SYNful Knock - Backdoor Password

SYNful Knock – Backdoor Password

You can see in the illustration embedded below about how attackers can gain access over to the Cisco routers.

SYNful Knock - Module Update Backdoor Access

Another serious security concern this firmware attack possess is that it exists within a modified Cisco IOS image file. This continues to maintain its presence even after the router is rebooted, albeit the modules remotely loaded by the hacker will no longer exist on the router because it is stored in the volatile memory which will not be available after a reboot.

[src src=”source” url=”https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html”]FireEye[/src]

  • Tags
  • backdoor
  • Cisco
  • internet
  • Malware
  • Routers
  • security
  • Vulnerability
  • Wi-Fi
Facebook Twitter Google+ LinkedIn Pinterest
Previous article GCHQ Encouraging Users To Use Simple Passwords
Next article NATO Will Check for Backdoors in Microsoft's Products
Farzan Hussain

Farzan Hussain

I am Mohammad Farzan! A technology and gadget enthusiast as well as a creative content writer with over six years of experience in writing engaging content. You will mostly find me writing occasional blog posts, designing websites, capturing photos, social networking and listening to music.

Related Posts
How to identify malware on your phone with these 7 signs

How to identify malware on your phone with these 7 signs

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

Plundervolt: A new attack on Intel processors threatening SGX data

Plundervolt: A new attack on Intel processors threatening SGX data

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

LATEST POSTS
Popular forms of cybercrime you should be aware of
Cyber Crime

Popular forms of cybercrime you should be aware of

156
70% of the entire US population is now on Facebook
Technology News

70% of the entire US population is now on Facebook

256
Hundreds of counterfeit branded shoe stores hacked with web skimmer
Cyber Crime

Hundreds of counterfeit branded shoe stores hacked with web skimmer

277
NGINX office in Moscow raided by police
Cyber Events

NGINX office in Moscow raided by police

1289

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us