That still doesn’t mean there’s an outbreak and that Dustin Hoffman is going to show up in a hazmat suit. But it’s an interesting development as Cisco tracks what it calls an “evolution” of attacks on its IOS operating system.
Cisco and The Shadowserver Foundation, a volunteer-run, nonprofit organization, announced Monday morning that Shadowserver had found 199 IP addresses affected by the malware known as SYNful Knock. That’s a sliver of the routers in the world, but it’s a lot more than the 14 affected routers disclosed last week by Mandiant, a subsidiary of FireEye.
The routers affected are obsolete models — Mandiant’s report cited the Cisco 1841, 2811, and 3825. Moreover, there’s no new flaw in IOS that was exploited here; SYNful Knock requires administrative access to the routers in the first place. (Being physically next to the router works, too.)
SYNful Knock creates an open backdoor through which an attacker can replace the router’s software with a “modified” IOS image, as Cisco puts it. In other words, you can recode the router to do pretty much whatever you want.
In past years, IOS security was more concerned with distributed denial-of-service (DDoS) attacks. Multiple times, Cisco found vulnerabilities in the code that would be triggered if a certain type of malformed packet were to arrive — but these holes were found in the lab, not in the wild.
SYNful Knock represents a new and more sinister attack vector, and it’s not the first time we’ve heard about it. In August, Cisco had disclosed a separate vulnerability that allowed the replacement of a router’s boot image — again, letting someone take control of the router. Like SYNful Knock, this vulnerability required admin credentials.
As for who is responsible for SYNful Knock, neither Cisco nor the security groups have indicated that they know. For what it’s worth, some experts including security guru Bruce Schneier think Synful Knock looks like the product of a government agency.