SYNful Knock – a serious threat to network security

SYNful Knock – a serious threat to network security

SYNFul Knock and other horror stories

SYNful Knock - a serious network security threatOver the past year or so there have been many reports of router vulnerabilities adding to the constant stream of threats to our network security. These have predominantly been found in SOHO routers. The headlines could easily be mistaken for scaremongering (see below for links to articles) but having read into the detail I believe the headlines are understating the threat. The vulnerabilities include access to router management and configuration files enabling access to weakly hashed passwords and wireless access codes that can easily be decoded.

“…even if you removed the offending router any replacement device is likely to have the same vulnerability.”

Once compromised the routers can be used in DDoS attacks, data theft, access to IP cameras and any other networked devices. With the Internet of Things gaining momentum hackers could very easily gain access to domestic appliances. Some experts are saying that even if you removed the offending router any replacement device is likely to have the same vulnerability.

To add to the problem experts have discovered a new vulnerability that affects Cisco enterprise routers referred to as SYNful Knock. This is a particularly nasty compromise where the attacker gains access to the file system and replaces the operating system with a modified version. The modified iOS enables the attacker to repeatedly gain access to the router to launch attacks on the local network or on third party networks via the Internet. The compromise is so sophisticated the rogue OS has the same file sizes as the iOS it replaced so it is extremely difficult to see. Once the attacker can access the router on demand their access to other systems may go unnoticed for some time.

” No one knew exactly how long this had been going on nor did anyone know extent of the data theft.”

These sustained attacks are not new. Back in the early 1980s I was working for a large national organisation when I noticed some strange activity on a PSTN modem and accidentally stumbled on attack in progress. On further investigation with the customer’s data processing team we discovered their main business systems had been compromised and whoever was launching the attack had been accessing the systems over a period of time. No one knew exactly how long this had been going on nor did anyone know extent of the data theft.

Towards the end of the 1980s one of my customers had stumbled across an accounting discrepancy where tens of thousands of pounds were being filtered out of the accounts each year through bogus credit card refunds. On this occasion the attacker had compromised the system via the public X.25 packet switched network. The general consensus with the incident team was that whoever was illegally accessing the system to make the refunds new the inner workings of this particular system. We were engaged to secure the X.25 connectivity to prevent any further attacks. This decision was made after discussions between the incident team, our engineers and the police decided it would be futile to try and trace and catch the criminals as they were launching their attack from outside the UK via dial-up access to the packet network.

“Simple human errors during configuration, installation or subsequent testing could leave a system wide open.

These were very sophisticated attacks for the time. The systems in question had what were considered as appropriate security measures in place but they had been compromised. It was only by pure chance in the first example and accounting due diligence in the latter example that the attacks were discovered enabling us to take defensive action to stop them. The attackers were never identified.

As far as I have read so far the attacker needs to have access to the Cisco router using an existing account to load the rogue OS. This does make it more of a challenge for would be attackers but it does emphasise the need for tight controls around router access. Placing MalWare on a router is easy if it is insecure. I realise this is stating the obvious but wherever humans are involved mistakes are inevitable. Simple human errors during configuration, installation or subsequent testing could leave a system wide open.

“…routers and switches are also more likely to be overlooked because they are not visible and assumed to be safe…”

The fact that the routers providing the connectivity across our networks are vulnerable is no surprise. Anyone involved in securing networks for specific requirements such as for carrying payment card data (PCI DSS) will be aware of the risks. Routers and switches generally attract must less attention than the endpoints and servers when it comes to security. Maybe because endpoints and servers are more visible and considered to be more vulnerable. After all, it only requires one user’s endpoint to become infected to then spread to infect servers and other endpoints. But routers and switches are also more likely to be overlooked because they are not visible and assumed to be safe – what can’t be seen can’t hurt me. Some experts say the problem is exacerbated by the fact that router compromises are generally complex and too technical for the general public to understand so they are rarely reported in the press.

It seems there isn’t a week goes by without news of an organisation having their IT security compromised. Some security incidents barely make the press while others have such devastating affect they make world-wide news. It is human nature to breathe a sigh of relief that it is someone else and not me, but according to many IT security experts organisations fall into two camps: those that have had their systems compromised and those that are not yet aware they have had their systems compromised. A sobering thought.

Headlines and links to articles…