Researchers have uncovered active and highly clandestine attacks that have infected more than a dozen Cisco routers with a backdoor that can be used to gain a permanent foothold inside a targeted network.
The SYNful knock malware has been found on 14 routers in four countries, including Ukraine, the Philippines, Mexico, and India and is likely being used to infect other parts of the targeted networks, researchers from security firm FireEye wrote in a report published Tuesday morning. The malicious router implants are loaded each time the device is powered on and support up to 100 modules, which can be tailored to individual targets. Cisco Systems officials have confirmed the findings and published intrusion detection signatures that customers can use to block attacks in progress.
“The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems,” FireEye researchers wrote in Tuesday’s post. “This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead.”