Euro SecurityEuro Security InternationalMiddle East Security
Banner
In this issue

 
(titel, termin, news)

Looking for a supplier? Please enter the supplier name below:




SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks Print E-mail
Friday, 18 September 2015 02:05

Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.

Recently, the Cisco Product Security Incident Response Team (PSIRT) has alerted customers around the evolution of attacks against Cisco IOS Software platforms.

Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.

The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.

SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.

 

Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.

 

·       Step 1: Harden devices – use Cisco’s guidance to harden Cisco IOS devices

·       Step 2: Instrument the network – follow recommendations Telemetry-Based Infrastructure Device Integrity Monitoring

·       Step 3: Establish a baseline – ensure operational procedures include methods to establish a baseline

·       Step 4: Analyze deviations from the baseline by leveraging technical capabilities and recommendations for Cisco IOS Software Integrity Assurance.

We thank Mandiant/FireEye for their focus on protecting our shared customers, and for adding their voice to calls for greater focus on network security.

 


User Rating:   / 0
PoorBest 
 
 




Banner
Banner
Banner
Banner

     
   
Subscribe to our newsletter to receive the latest news/updates: