Menu
Malware implants on Cisco routers revealed to be more widespread

Malware implants on Cisco routers revealed to be more widespread

Researchers detected 200 routers with malicious firmware in 31 countries - but Australia is not among them

Attackers have installed malicious firmware on nearly 200 Cisco routers used by businesses from over 30 countries, according to Internet scans performed by cybercrime fighters at the Shadowserver Foundation.

Last Tuesday, FireEye subsidiary Mandiant warned about new attacks that replace the firmware on integrated services routers from Cisco Systems. The rogue firmware provides attackers with persistent backdoor access and the ability to install custom malware modules.

At the time Mandiant said that it had found 14 routers infected with the backdoor, dubbed SYNful Knock, in four countries: Mexico, Ukraine, India and the Philippines. The affected models were Cisco 1841, 2811 and 3825, which are no longer being sold by the networking vendor.

Since then, the Shadowserver Foundation, a volunteer organization that tracks cybercrime activities and helps take down botnets, has been running an Internet scan with Cisco's help in order to identify more potentially compromised devices.

The results confirmed Mandiant's suspicions: there are more than 14 routers infected with SYNful Knock out there. Shadowserver and Cisco identified 199 unique IP (Internet Protocol) addresses in 31 countries that show signs of compromise with this malware.

The U.S. has the largest number of potentially infected routers, 65. It is followed by India with 12 and Russia with 11.

Shadowserver plans to start notifying network owners who have signed up for the organization's free alert service if any of the compromised routers fall into their IP blocks.

"It is important to stress the severity of this malicious activity," the organization said Monday in a blog post. "Compromised routers should be identified and remediated as a top priority."

By controlling routers, attackers gain the ability to sniff and modify network traffic, redirect users to spoofed websites and launch other attacks against local network devices that would otherwise be inaccessible from the Internet.

Since the devices targeted by the SYNful Knock attackers are typically professional-grade routers used by businesses or ISPs, their compromise could affect large numbers of users.

Cisco has been aware of attackers using rogue firmware implants for several months. The company published a security advisory in August with instructions on how to harden devices against such attacks.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments