The United States Computer Emergency Readiness Team (US-CERT) has issued a warning about the rising threat to network infrastructure devices following a spate of attacks.
As US-CERT points out in the warning, protecting the network infrastructure is critical if the the confidentiality, integrity, and availability of data and communication services are to be preserved. While organizations have perimeter defences in place to protect their networks from attack, it is no longer sufficient to just employ firewalls and intrusion detection systems.
The capabilities of organized hacking groups have increased considerably in recent years. In addition to installing perimeter defenses, organizations must also be able to protect internal systems from attack and implement the necessary policies and technologies to contain attacks when they do occur.
Advanced threat actors and skilled hackers search for vulnerable network devices that can be exploited. Those malicious actors are well aware that oversight of network devices is often poor. IT security professionals often fail to monitor network devices and only investigate potential attacks when network connectivity is broken. When these devices are compromised, the hackers can usually remain undetected for long periods of time. Even when attacks are detected and systems are cleaned, malicious cyber actors with persistent access can simply re-attack cleaned hosts.
US-CERT has warned of two specific threats to network infrastructure devices: The malware SYNful Knock, which changes the operating system image on routers allowing network access, and Cisco Adaptive Security Appliance (ASA) attacks. Malicious actors have been able to exploit vulnerabilities in the devices and install malicious code. This allows those actors to “modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration.”
Cisco responded by issuing patches to correct the vulnerabilities in 2011, yet many organizations have failed to install those patches and the attacks continue. Even organizations that have good patch management policies remain vulnerable to attack because network devices are forgotten and remain unpatched for long periods of time.
SYNful Knock was first discovered in September last year. The malware installs a backdoor into the network and serves as a launchpad for attacks on other hosts. A communication channel is opened between the compromised device and the attackers C&C server. They are then able to maneuver around the system and access and exfiltrate sensitive data. The malware is not installed as a result of a zero-day vulnerability, instead it is believed that attackers install the malware by using default login credentials or by obtaining login credentials from other devices. Many organizations fail to change default logins leaving their network devices vulnerable to attack.
Unless organizations take steps to mitigate the threat to network infrastructure devices, attacks are likely to occur. US-CERT has provided a number of mitigations to address the threat to network infrastructure devices. They can be viewed on this link.