That malware that FireEye's Mandiant found on a dozen or two Cisco Routers spread around the world isn't quite as limited as initially thought. Cisco and the volunteer security group called the Shadowserver Foundation said today that the malware has now been found on some 199 older Cisco routers.
SYNful Knock has cropped up across an even more widespread footprint, including dozens of servers located in the USA. Basically, it's a replacement image of the router's operating system, one that lets a remote entity do basically whatever it wants with the system. It's basically a giant backdoor maintenance utility. What it isn't is a virus or trojan or anything like that. It's something that can only be installed via root access, which means the attacker already had complete control -- he just wanted to make it easier to use for future projects/missions.
Nobody knows what if anything was eavesdropped on, nor is anyone saying just who would have not only built such a beast, but deployed it as well. But the nature and flexibility of the tool says pretty clearly it's not garage-based hackers messing around with personal details and such. That's not to say such people couldn't do it, it's just that they wouldn't likely do it this way. This sounds like a nation state, and the two biggest suspects would be the NSA and the Chinese, depending on the flavor of your own personal paranoia.
If someone has done this for certain routers, you can be sure they've at least tried it for others, and not just Cisco. They may even have succeeded and just not been detected yet. A whole new front seems to be opening up in the never-ending cybersecurity war.
If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!Categories: Security