Last month, The Age featured an article on Cisco router vulnerabilities that was the cause of some concern for IT departments worldwide.
The article leveraged research by Mandiant, the forensic arm of US security research firm FireEye, who uncovered the latest trend in persistence – implanted routers.
Routers implanted with a backdoor provide attackers with an easy entry point to establish a toehold in your network and compromise critical data and applications. Whilst this form of attack could be used to compromise any routers, in this instance it was Cisco routers that were targeted.
Mandiant discovered 14 instances of the router implant (dubbed SYNful Knock) across four countries: Ukraine, Philippines, Mexico and India.
Cisco later confirmed that it had alerted customers to these attacks on Cisco OS software platforms and that it was working with Mandiant to develop ways for customers to detect the attack.
According to Cisco, “In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices’ privileged position within the IT infrastructure.”
Routers operate outside the perimeter of firewalls, anti-virus and other security tools used to safeguard data in transit. FireEye Chief Executive Dave DeWalt explains the potential impact of a compromised router: “If you own the router, you own the data of all the companies and government organisations that sit behind that router”
According to FireEye, this means the estimated $80 billion spent annually on cyber security tools offers no protection against this form of attack.