Hundreds of Cisco Routers Carrying Malware

Nearly 200 Cisco internet routers have been found to carry malware, reports volunteer internet security organisation Shadowserver Foundation. News of infected Cisco routers was first reported by the company itself back in August, when it was revealed that attackers had replaced firmware on the devices with malicious malware implants, allowing them full access to networks and all information passed through it.

Last week, Madiant of FireEye claimed that 14 infected Cisco routers had been over four countries – calling the threat SYNful Knock – though Cisco was quick to point out that it is not the only vendor that is vulnerable to such an attack.

“While Mandiant saw this attack across specific Cisco models, the key focus of this research is more about an evolution in attack types and how important it is for all network administrators to ensure security best practices are implemented,” said Yvonne Malmgren, Business Critical Communications Manager for Cisco Corporate Communications, told SecurityWeek Network devices, of many types and from many companies, are high-value targets for malicious actors.”

Mandiant later reported that the number of confirmed infections of Cisco hardware had risen to 79, over 19 countries. Monday then brought the news, courtesy of Shadowserver, that 199 routers were found to be carrying SYNful Knock, one-third of which are believed to be within the US.

“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” a Shadowserver spokesperson said.

Cisco has published an article regarding the detection and countenance of SYNful Knock.

Thank you Security Week for providing us with this information.

Image courtesy of diTii.