The New Route to Persistence: Compromised Routers In The Wild

Over the years, Mandiant has witnessed many shifts in attacker techniques, tactics, and procedures (TTPs). Specifically, persistence mechanisms have evolved to provide attackers more features while maintaining even greater stealth. Our Mandiant services team has discovered the next evolution in persistence currently being used in the wild. Once thought to be only theory, implanted routers are now very much a reality.

Routers maintain critical positions as they are located on the boundaries of a network as well as in the core. Ironically, these critical devices often get overlooked for endpoints, mobile devices, and servers when it comes time to respond to an attack. However, a router implanted with a backdoor provides attackers a very easy entry point to establish a foothold and compromise other hosts and critical data.

While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India.

The theoretical nature of router-focused attacks created a mindset within our industry to focus on building more walls around the perimeter, leaving many organizations exposed when it comes to foundational devices like routers.

How big is the impact of such an attack?

No company can exist today without heavily relying on being connected to the Internet. Imagine for a second that every bit of data going in and out of these companies could be compromised without any knowledge of it. You might first assume that all of the databases or servers would need to be under attacker control. But the router's position on the edge of the network can now be turned against you to achieve this goal.

As we saw with attackers adopting nascent services like Twitter and Microsoft TechNet to carry out their attacks and obfuscate their activity, we see here that a very uncommon attack vector has opened a worldwide threat that is highly difficult to detect.

According to Cisco, "In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices' privileged position within the IT infrastructure.  In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure."[1]

The implant uses techniques that make it very difficult to detect. A clandestine modification of the router's firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.

A serious threat to the future

We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor). As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe. 

Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.

The full details of the attack are included in our report detailing SYNful Knock, which provides detection signatures and active hunting techniques for enterprises to implement.

 

[1] http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html