“If you own (seize control of) the router, you own the data
of all the companies and government organizations that sit behind that router”
FireEye Chief Executive Dave DeWalt commenting on the
discovery of a SYNful firmware implant attack on Cisco Routers
Tis' still the season for hacking, with Cisco Routers now
the target of these latest attacks.
Mandiant, a cybersecurity firm, on Tuesday September 15th
2015 echoed a report by U.S. security research firm FireEye about a Router
Firmware implant attack on Cisco Routers as reported in the article “Cisco
router attacks duck cyber defenses, hit four countries”, published Tue Sep
15, 2015 by Eric Auchard, Reuters.
The attack, dubbed SYNful, which is directed at Cisco
router, has been confirmed by Cisco. The Router Firmware implant attack is
called SYNful as it allows the firmware to infect interconnected Cisco Routes
using syndication functions and certificate authentication to validate each
installation.
They've already alerted customers that use their Router and
other Internet based systems. Mandian has also pointed out that the SYNful
Router Firmware implant attack on Cisco Routers could also be used on other
routers made by other manufacturers, potentially widening the problem.
Mandiant has also discovered a total of fourteen (14)
different instances of Router Firmware implant attack on Cisco Routers in
multiple industries and government agencies in the following countries:
1. India
2. Mexico
3. Philippines
4. Ukraine
What's even more troubling is that firewall, antivirus and
other security programs, a US$80 billion industry according to stats from
research firm IDC, cannot protect you from these attacks, as Routers are what
computer use to access the Internet.
So how does this Router implant work? And what can you do to
defend yourself against it?
How the SYNful
Router Firmware implant works - Router access via Inside Job or Phishing Attack
The SYNful attack is basically a Router Firmware implant, to
put it simply.
The hacker remotely logs into your router via hacking into
the computer network and then using a computer as remote terminal access to the
router. For most Cisco routers, access to the router is via typing http://198.162.1.1
on any computer connected to the Cisco Router.
Then you enter the login and password for the router, which
in most organizations may actually be written on the underside of the router of
can be found online in manuals for the router.
Alternatively, it the Administrator for the Network had
changed the login and password, the hacker may decide to use a phishing attack
method to retrieve the login and password via sending a Trojan horse program
via email.
An example of this was the case when the JIS (Jamaica
Information Service) website got hacked back in June 2015 as reported in my blog article
entitled “Anatomy
of ISIS hack of the JIS Website - How the @JISNews Website was hacked and Why
Hactivists couldn't access sensitive GOJ Databases”.
Cisco confirms my hypothesis, as Cisco claims their software
has no known vulnerability that the hackers could have exploited.
Instead, Cisco claims, the hackers stole logins and
passwords, possibly via phishing and may have had inside help, as a lot of the
router login and password are actually physically written on them, as this
video from CNET indicates.
Once they have this access, they can easily change the
router firmware. In this case they substituted the Cisco Router software for
their own variant, SYNful that basically allowed hackers to monitor massive
amounts of Data packets flowing through a company Network.
How to remove the
SYNful Router Firmware implant - Cisco not the Target as the attack will expand
to other router brands
This means that not only could they get login and password
as well as other personal information such as names, addresses and credit Card
numbers for users of their network, but their activities would undetected for
months even years based on computer logs according to FireEye.
This as conventional firewall, antivirus and other security
programs would not be able to detect this activity.
To make it worse, the SYNful Router Firmware implant attack
is allows firmware to infect interconnected Cisco Routes using syndication
functions and certificate authentication to validate each installation, hence
its name.
So what's the fix?
Re-image your router with a firmware that's based on Open
Source Software such as Wi-Fi Router firmware DD-WRT as recommended in my Geezam blog article entitled “How
to access any WEP or WPA/WPA2 Wi-Fi Network that has a password”.
This attack will continue and may potentially spread to
other routers. Based on the hacking method used, the hackers weren’t targeting
Cisco directly. Rather it's just that their Routers are the most popular to use
in the field.
Folks, this will not end well.....
No comments:
Post a Comment