Tuesday, September 15, 2015

FireEye discovers SYNful Router Firmware implant works - How SYNful works and how to protect your router

“If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router”

FireEye Chief Executive Dave DeWalt commenting on the discovery of a SYNful firmware implant attack on Cisco Routers

Tis' still the season for hacking, with Cisco Routers now the target of these latest attacks.

Mandiant, a cybersecurity firm, on Tuesday September 15th 2015 echoed a report by U.S. security research firm FireEye about a Router Firmware implant attack on Cisco Routers as reported in the article “Cisco router attacks duck cyber defenses, hit four countries”, published Tue Sep 15, 2015 by Eric Auchard, Reuters.




The attack, dubbed SYNful, which is directed at Cisco router, has been confirmed by Cisco. The Router Firmware implant attack is called SYNful as it allows the firmware to infect interconnected Cisco Routes using syndication functions and certificate authentication to validate each installation.

They've already alerted customers that use their Router and other Internet based systems. Mandian has also pointed out that the SYNful Router Firmware implant attack on Cisco Routers could also be used on other routers made by other manufacturers, potentially widening the problem.

Mandiant has also discovered a total of fourteen (14) different instances of Router Firmware implant attack on Cisco Routers in multiple industries and government agencies in the following countries:

1.      India
2.      Mexico
3.      Philippines
4.      Ukraine

What's even more troubling is that firewall, antivirus and other security programs, a US$80 billion industry according to stats from research firm IDC, cannot protect you from these attacks, as Routers are what computer use to access the Internet. 

So how does this Router implant work? And what can you do to defend yourself against it?

How the SYNful Router Firmware implant works - Router access via Inside Job or Phishing Attack

The SYNful attack is basically a Router Firmware implant, to put it simply.

The hacker remotely logs into your router via hacking into the computer network and then using a computer as remote terminal access to the router. For most Cisco routers, access to the router is via typing http://198.162.1.1 on any computer connected to the Cisco Router.

Then you enter the login and password for the router, which in most organizations may actually be written on the underside of the router of can be found online in manuals for the router.

Alternatively, it the Administrator for the Network had changed the login and password, the hacker may decide to use a phishing attack method to retrieve the login and password via sending a Trojan horse program via email.

An example of this was the case when the JIS (Jamaica Information Service) website got hacked back in June 2015 as reported in my blog article entitled “Anatomy of ISIS hack of the JIS Website - How the @JISNews Website was hacked and Why Hactivists couldn't access sensitive GOJ Databases”.

Cisco confirms my hypothesis, as Cisco claims their software has no known vulnerability that the hackers could have exploited.

Instead, Cisco claims, the hackers stole logins and passwords, possibly via phishing and may have had inside help, as a lot of the router login and password are actually physically written on them, as this video from CNET indicates.


Once they have this access, they can easily change the router firmware. In this case they substituted the Cisco Router software for their own variant, SYNful that basically allowed hackers to monitor massive amounts of Data packets flowing through a company Network.

How to remove the SYNful Router Firmware implant - Cisco not the Target as the attack will expand to other router brands

This means that not only could they get login and password as well as other personal information such as names, addresses and credit Card numbers for users of their network, but their activities would undetected for months even years based on computer logs according to FireEye.

This as conventional firewall, antivirus and other security programs would not be able to detect this activity.

To make it worse, the SYNful Router Firmware implant attack is allows firmware to infect interconnected Cisco Routes using syndication functions and certificate authentication to validate each installation, hence its name.

So what's the fix?

Re-image your router with a firmware that's based on Open Source Software such as Wi-Fi Router firmware DD-WRT as recommended in my Geezam blog article entitled “How to access any WEP or WPA/WPA2 Wi-Fi Network that has a password”.  

This attack will continue and may potentially spread to other routers. Based on the hacking method used, the hackers weren’t targeting Cisco directly. Rather it's just that their Routers are the most popular to use in the field.

Folks, this will not end well.....



No comments:

Post a Comment

Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.