The Shadowserver Foundation used cybercrime fighters in performing internet scans which resulted in the findings of almost 200 of the Cisco routers (used by businesses) having malicious firmware installed by attackers. FireEye’s subsidiary Mandiant warned of new attacks last week saying the new attacks replaced the firmware on the integrated services routers that came from the Cisco Systems. This firmware, referred to as rogue, gives attackers the ability of having a backdoor access, as well as the ability to install malware modules, which have been custom made.
At the same time, Mandiant had said it found 14 other routers that were infected with the code dubbed “SYNful Knock” that was more than likely through a backdoor access point all within 4 different countries, which were Ukraine, Mexico, Philippines and India. Here is a list of the effected models of Cisco Router: #1841, #2811, and #3825, which the networking vendor no longer sells. Since then, a volunteer organization has been tracking cybercrime activity and helping to stamp out botnets.
The volunteer organization has been scanning the internet with the help of the Cisco Router Company in hopes of being able to identify the devices that could be potentially compromised. Results have confirmed the suspicions of Mandiant that there has been over 14 routers infected by the SYNful Knock. There were also 199 very unique IP addresses identified from 31 different countries that showed signs of compromising by the use of this malware. There were also 65 routers infected in the United States alone, then India follows with 12 infected routers, and Russia having 11.
Network owners that have signed up with the volunteer organization alert service will be notified from the Shadowserver should any compromises get as far as their IP blocks. Which means that the Shadowserver already made plans to begin the notification process regarding the compromise of the routers. The organization tried relating the importance of stressing the seriousness on this malicious activity through a blog post on Monday. They also felt that the compromising of the routers should be identified as soon as possible, labeling it as top priority.
With hackers having access and control, they can snoop around, modify the traffic of networks, and even redirect users to false websites so they could launch more attacks on the local network’s devices, which under normal circumstances would not be accessible to them. These compromises stand a chance of affecting a much larger number of users since the routers that are being attacked by the SYNful Knock professional grade attackers and used by ISPs and businesses. For months now, the Cisco Router Company has known about the use of rogue firmware implants by attackers. Publishing a security advisory in August, the Cisco Router Company was giving instructions on how to go about hardening the devices to keep them from being attacked.