Malware implants on Cisco routers revealed to be more widespread

Researchers detected 200 routers with malicious firmware in 31 countries

Attackers replaced the firmware on Cisco routers around the world.
Credit: Gerd Altmann / Pixabay

Attackers have installed malicious firmware on nearly 200 Cisco routers used by businesses from over 30 countries, according to Internet scans performed by cybercrime fighters at the Shadowserver Foundation.

Last Tuesday, FireEye subsidiary Mandiant warned about new attacks that replace the firmware on integrated services routers from Cisco Systems. The rogue firmware provides attackers with persistent backdoor access and the ability to install custom malware modules.

At the time Mandiant said that it had found 14 routers infected with the backdoor, dubbed SYNful Knock, in four countries: Mexico, Ukraine, India and the Philippines. The affected models were Cisco 1841, 2811 and 3825, which are no longer being sold by the networking vendor.

Since then, the Shadowserver Foundation, a volunteer organization that tracks cybercrime activities and helps take down botnets, has been running an Internet scan with Cisco's help in order to identify more potentially compromised devices.

The results confirmed Mandiant's suspicions: there are more than 14 routers infected with SYNful Knock out there. Shadowserver and Cisco identified 199 unique IP (Internet Protocol) addresses in 31 countries that show signs of compromise with this malware.

The U.S. has the largest number of potentially infected routers, 65. It is followed by India with 12 and Russia with 11.

Shadowserver plans to start notifying network owners who have signed up for the organization's free alert service if any of the compromised routers fall into their IP blocks.

"It is important to stress the severity of this malicious activity," the organization said Monday in a blog post. "Compromised routers should be identified and remediated as a top priority."

By controlling routers, attackers gain the ability to sniff and modify network traffic, redirect users to spoofed websites and launch other attacks against local network devices that would otherwise be inaccessible from the Internet.

Since the devices targeted by the SYNful Knock attackers are typically professional-grade routers used by businesses or ISPs, their compromise could affect large numbers of users.

Cisco has been aware of attackers using rogue firmware implants for several months. The company published a security advisory in August with instructions on how to harden devices against such attacks.

An earlier version of this story transposed the model number of one of the affected routers in the third paragraph: the router is model 2811. In the second paragraph, the timing of the warning by Mandiant has been corrected to indicate that it happened last Tuesday.