SYNful Knock spreads: embaddened boxen in 31 countries

Cisco and Shadowserver root out rooted routers

The Shining - blood cascade

Cisco's moved to sweep up routers compromised by the firmware vulnerability that first emerged in August and which FireEye/Mandiant last week found in the wild.

The router implant, now dubbed SYNful Knock (because you can no longer have a vulnerability without a brand), was spotted in the wild in machines in the Ukraine, the Philippinies, Mexico and India.

The attack involves flashing Cisco routers with a compromised ROMMON boot image.

Now, Cisco says it's worked with a company called Shadowserver to seek out routers that are exposed to SYNful Knock.

The joint work has vastly expanded the geographical coverage of the vulnerability, with 65 machines found in the USA, 11 in the Russian Federation, nine in Poland, and handfuls of boxes in the remainder of the 31 nations the vuln has turned up in so far.

Shadowserver notes that there are now Snort rules (here) for the vulnerability.

Cisco's Omar Santos has also posted information about detecting SYNful Knock attacks, and the company has posted a video tutorial for customers. ®

Youtube Video

Biting the hand that feeds IT © 1998–2018