SYNful Knock Attack Against Cisco Routers

FireEye is reporting the discovery of persistent malware that compromises Cisco routers:

While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India.

[...]

The implant uses techniques that make it very difficult to detect. A clandestine modification of the router's firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.

I don't know if the attack is related to this attack against Cisco routers discovered in August.

As I wrote then, this is very much the sort of attack you'd expect from a government eavesdropping agency. We know, for example, that the NSA likes to attack routers. If I had to guess, I would guess that this is an NSA exploit. (Note the lack of Five Eyes countries in the target list.)

Posted on September 21, 2015 at 11:45 AM • 23 Comments

Comments

ianfSeptember 21, 2015 12:30 PM


“… routers getting FREE implants…

That's pretty clever & cost-effective—if you don't mind me saying so, and of course you don't. But couldn't the NSA economize even further, and simply put these TAO-ops up for competitive tender?

These Trojan horse systems were described by an NSA manager as being “some of the most productive […] Tailored Access Operations because they pre-position access points into hard target networks around the world.

Clive RobinsonSeptember 21, 2015 12:59 PM

With regards,

However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.

Something that has been discussed here befor and for which I suggested setting up a "Garden Path" surveillance system.

@ Bruce,

If I had to guess, I would guess that this is an NSA exploit. (Note the lack of Five Eyes countries in the target list.)

Also note they are not realy military threat countries, but more likely "targets of economic opportunity", which the NSA and USG keep claiming they don't do economic espionage...

rSeptember 21, 2015 1:26 PM

@ clive

i had the same feeling, unless this is just a part of a TIA campaign this really doesn't fit imb.

would the NSA really leave raw [unencrypted] telnet and http hooks in firmware?
ESP when they've proven very adept at small encryption implementations, so i don't think that a mere lack of SSL/TLS in the firmware or the added complexity of such hooks/hacks would've stopped them from creating a more secure 'product' of their exploitation.

the TLB mod is pretty cute but wouldn't that be just as relatively easy to hook/forge if you had the time and resources of the NSA?

part of my [emotional] reasoning for the opinion i've drawn is that i'd like to believe that the US and India are "tight"?

GopiballavaSeptember 21, 2015 1:40 PM

Does the NSA have the capability to modify packets in-flight, or to inject something like TCP reset packets?

Do they have the ability to detect and subvert exploits from others?

I have no idea how many exploits could realistically be detected in real-time, but that could be one reason that five eyes routers seem unaffected.

rgaffSeptember 22, 2015 1:49 AM

They may be free for all you non-US Persons (I mean, what a benefit)... but for us here in the US, we pay for them with our taxes... Oh, and I guess the Chinese paid for some of them too with our deficit (Thanks, we'll keep that). :)

Clive RobinsonSeptember 22, 2015 4:36 AM

@ rgaff,

... but for us here in the US, we pay for them with our taxes...

You actually pay thrice on that score, along with the money to the US IC, the descovery of these adds loss of sales abroad thus taxes --if paid-- on the proffit, lost income tax on staff laid off and the cost of their welfare from taxes.

And for what?...

Soon the only safe(ish) job in the US will be as a peon in the IC community, serving surf like the new barons of the elite and their "court jester" politicians kept around to provide them with ammusment and a shield from the citizens as they direct their false hopes and wrath against the monkey in suit representatives...

Of corse there is the Orwell Option to get out of what would otherwise be an economic disaster, "Go To War" and put the entire population on and endless war footing.

Oh hang on a mo, I forgot that's already started...

EvanSeptember 22, 2015 9:14 AM

@r:

would the NSA really leave raw [unencrypted] telnet and http hooks in firmware?

I think so. In the first place, they're much more concerned with being able to obtain data from the target machine than they are with making sure nobody else has that data, so they err on the side of easy access. In the second place, using encrypted communications means they have to either rely on the built-in crypto frameworks or inject their own. The built-in frameworks could be patched in a way that denies the NSA access, or the user could disable whichever SSL certificate that TAO hackers were using. Newly injected crypto frameworks increase the size of the payload and thus the likelihood of being noticed, particularly if it doesn't fit in firmware.

Clive RobinsonSeptember 22, 2015 10:45 AM

@ Redmond,

Thanks for the link.

Sadly the information does not contain sufficient information to see where on the "real map" of the Internet the infected devices sit.

Knowing that would as ths article demonstrates --from the satellite company-- show the "who", "where" and "what" of it which would make predictions a lot firmer.

My guess is still "economic espionage" based on what is there. It's interesting to note that China is economicaly active for resources directly or indirectly in a big chunk of the areas covered (not that, that is saying all that much).

What we realy need is as I said the data that would tell us the choke points these routers are at, and thus discern the downstream or through traffic that could be seen or modified etc.

rSeptember 22, 2015 10:50 AM

@rgaff, i'm still laughing @ that even tho it's REALLY not funny. Another way we are paying for it is the "see no evil" ideal towards tax havens with companies that are most likely complicit, and also any loss of sales/industry we have stateside thanks to these practices.

@evan, i do realize the size constraint issues. I wouldn't think they'd place SSL/TLS hooks into the code as that would prolly take up alot of extra space... but we've seen them using rc4 and other things in the C&C and malware modules of stuxnet and others - so i would've at least expected something that couldn't merely be sniffed out.
but - to your point - you're right about wreckless behaviour: the malicious HDD firmware that was discovered was proven by an outside researched to work with SSD's also. SO in my mind that means they're not careful enough about allowing repurposing (such protections in an R/E landscape may be impossible granted).

i still kind've feel these are US interest locations, and it could be someone other than us. :P

k14September 22, 2015 11:01 AM

"very few, if any, are monitoring these devices for compromise."

In a civilized, well-governed country, or world, whose job would this be?

Clive RobinsonSeptember 22, 2015 11:27 AM

@ r,

The problem the NSA and other FiveEyes have is firstly "detectability" then "deniability".

Stuxnet whilst ingenious in many respects was a large smoking gun back to the US. The ICs in WASP nations are directly affiliated with their Governments which makes deniability considerably harder than say Russia and China where their "cyber-attackers" are often two or more steps away from the respective Governments.

I think it's fairly clear to most super power and first world nation ICs since Stuxnet came to light in the way it did that you "can not hide Internet traffic" and it's not just the NSA who "collect it all" thus anything they do, can just like Ollie North's Emails of old turn up unexpected to cause considerable embarrassment.

So the old LPD (low probability of detection) assumptions do not hold thus "Detection" is in effect high probability...

Thus "deniability" is what is needed especialy if your "cyber-attackers" do not have a couple of degrees or more of seperation from your executive.

Thus I suspect the new idea is "minimal changes" and attacks that look like generic or criminal malware.

Look at it this way, a standard way of finding vulnerable hosts by attackers is to "enumerate hosts" in various ways, thus any change in a hosts behaviour from it's expected norms is a "red flag" issue. This not just for attackers but researchers as well, differences draw attention and allow those who have built up sufficient data to start drawing conclusions that are very likely to be adverse for WASP nation ICs, which gives rise to finger pointing and reverse engineering and the revelation of months or man-years of planning and work.

The problem with attacking routers is it's not somthing non governmental cyber-attackers tend to do (though that will change). Thus almost the first assumption you will hear when an attack on a router has been found is "it's state level" followed by the question of "Which one China, US, Israel, Russia..." depending mostly on who the current favourite "bogie man" is. Likewise if the attack is clever the assumption will be US, if obvious China, if apparently criminal Russia etc. These assumptions happen in the main because we lack information and thus insight, which is why "A goose may pass as a duck".

rgaffSeptember 22, 2015 1:48 PM

@Clive Robinson

"You actually pay thrice on that score"

Indeed, thanks for the correction... :)

rgaffSeptember 22, 2015 2:05 PM

@r

Laughing at it even though it's not funny, is a way of coping with seemingly unfixable stupidity... :)

Also making fun of stupid people DOES encourage them not to be so stupid in the future... so it's a way of slowly slightly possibly fixing the seemingly unfixable too.

So trolling those who are trying to accomplish something useful/good is annoying and to be ignored... but trolling those who are trying to tear apart society is actually useful in and of itself, and can be all that is available in some cases.

bruhahaSeptember 22, 2015 11:43 PM

@vetch

Highly improbable.

its do as I said donit as I do it.

@ Clive Robinson

"can just like Ollie North's Emails of old turn up unexpected to cause considerable embarrassment."

That's probably why the powers haven't entirely outlawed pastrami and wild wild west. The releases carry a deniability of its own.

JesusSeptember 23, 2015 6:56 AM

@Clive : "The problem with attacking routers is it's not somthing non governmental cyber-attackers tend to do (though that will change)."

That is untrue and I suspect misleading, though perhaps meant sarcastically as a lead in to a circular argument. I.e. when you admit it is untrue and misleading, the rest of the paragraph looks like propaganda.

Similarly, my understanding of stuxnet was that it was more about attacking sneakernets than people who think they are getting away with hiding internet traffic.

John Galt IVSeptember 23, 2015 2:15 PM


https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/
...
The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.
...
“If U.S. products are OK to target, that’s news to me,” says Matthew Green, a cryptography expert at Johns Hopkins University’s Information Security Institute. “Tearing apart the products of U.S. manufacturers and potentially putting backdoors in software distributed by unknowing developers all seems to be going a bit beyond ‘targeting bad guys.’ It may be a means to an end, but it’s a hell of a means.”

Frisk ZeroSeptember 25, 2015 1:27 AM

"very few, if any, are monitoring these devices for compromise."

@k14: In a civilized, well-governed country, or world, whose job would this be?

I'd say the device owner.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.