FireEye indicated that detailed instructions on how to detect the implant are forthcoming.Īs the vulnerability persists across reboots, the only available option is to flash the router with the newest Cisco IOS image available for the device to ensure the complete removal of the implant. For forensics purposes, collecting the modules requires a core dump. The modules loaded by the implant do not persist after a reboot. Considering the purpose and placement of routers on the network, it is advisable to check devices connected to networks in which this vulnerability has been exploited for further intrusion. In Cisco's post about the vulnerability, the company stated it has added a Snort rule to detect affected systems.
How to detect and patch vulnerable systems
In an interview with Reuters, FireEye CEO Dave DeWalt indicated that based on the logs from affected routers, the attacks have been ongoing for "at least a year."Īccording to FireEye, the similarities in core functionality and IOS software indicate that other router models are likely vulnerable to this exploit. The known affected router models include the Cisco 1841, 2811, and 3825 routers, all of which are products that are no longer sold by Cisco. The security research firm FireEye announced Septemthat a major vulnerability in Cisco IOS called SYNful Knock allows attackers to gain control of enterprise-grade routers, allowing attackers to monitor all network communication, and provide an easier means to infect other network devices.Īt the time of release, there are 14 currently known infected routers across India, Mexico, Philippines, and Ukraine. Cisco has published this guidance on detecting and removing the implant from affected hardware.
FireEye and Cisco indicate that this can only be exploited by physical access, discovery of the administrative password, or use of a default password. 18, 2015: An earlier publication of this article indicated that SYNful Knock relied on a vulnerability of Cisco IOS.