According to reports from FireEye, IT security professionals do not only need to be concerned about malware attacks on computers, servers, and Android devices: Cisco router malware has now been discovered.
Cisco router malware discovered on 79 devices to date
Cisco router malware is highly sophisticated and particularly worrying. The malware can survive a restart and will be reloaded each time. Cisco router malware is also highly versatile and can be tweaked to suit an attacker’s needs. It has been found to support up to 100 different modules.
The malware was first discovered in Ukraine, although the infections have now spread to 19 different countries around the world; including the US, UK, Germany, China, Canada, India and the Philippines. At this stage it is not clear who created the malware, or what the main purpose is.
It is also not clear whether the malware has been installed via exploited vulnerabilities. It is possible that routers have been hijacked as a result of default logins not being changed, or weak passwords being set.
It is known that Cisco router malware is sophisticated and it appears to have been professionally developed. This had lead security researchers to believe that foreign governments have had a hand in its development. Should that be the case, it is likely that the main purpose of the malware is spying. While it has been known for some time that router malware is possible in theory, this is the first time that malware had been discovered to affect routers in the wild.
SYNful Knock came as a big surprise to many security professionals
The malicious software is called SYNful Knock and it serves as a fully functional backdoor allowing remote access of networks. The attacks are also silent in many cases, and hackers are able to use the malware without risk of detection.
To date, the United States has been targeted by the cybercriminals behind the malware infections, with 25 of the 79 infections discovered in the U.S. That said, the infection was discovered to have affected an ISP which was hosting 25 infected routers. Lebanon has also been targeted and 12 infections discovered in the country, while 8 of the 79 infections have been found in Russia.
The infections were discovered using ZMap. Four full scans of public IPv4 addresses were probed for signs of the malware by sending out TCP SYN packets. At this stage it would appear that only Cisco routers have been affected by SYNful Knock, but there is concern that other manufacturers’ routers may also be infected with malware. Researchers are now investigating to find out if router malware is a more widespread problem.