Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.
Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.
The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.
SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.
Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.
Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.
Issue: I have 1 username within CISCO ISE that I wish to limit to only being able to TACACS into 1 device. e.g. BOB SMITH can SSH / WebUI into device X only.. I have been testing with Policy Sets / Policy Elements. Not sure if I'm on the correct...
I recently did an upgrade on an sfr on 5545 with Firepower Services from 6.2.0 to 6.4.0. The upgrade took a little more than an hour and everything thing came up on the sfr module ok after the reboot. Looking at it through the FMC, everything seems f...
I'm trying to open web traffic to: upgrade.bitdefender.com on an FMC. I made a change to the access control rules as indicated in the attached pic, but it's had no effect. Is the correct policy to modify? Thanks!