Security researchers working for the Mandiant team at FireEye have identified 14 instances of a router hack they claim can take over Cisco routers.

The group detected rogue software – dubbed

SYNful Knock – that could be embedded in the Cisco IOS operating system in Ukraine, Philippines, Mexico and India.

According to the team, SYNful Knock is a modification of the router’s firmware image that can be used to maintain persistence in a victim’s network. If the router is restarted, the rogue code continues to run.

FireEye wrote in a blog post: “It is customisable and modular in nature, so it can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.”

According to FireEye, attackers can seize control of routers and gain access to the information of the companies that sit behind them.

“We believe the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilising modified router images, regardless of supplier. As attackers focus their efforts on gaining persistent access, it is likely other undetected variants of this implant are being deployed worldwide,” FireEye said.

The security firm warned that the attack would render perimeter-level security useless, since it would compromise the internal network.

As Computer Weekly has previously reported, home routers used by teleworkers pose a security weakness in the enterprise as they often provide backdoor access, which can be exploited by hackers to penetrate corporate networks.

But enterprise routers are often considered more secure. Bill Hau, vice-president of Mandiant Security Consulting Services at FireEye, said: “Nobody suspects routers can be compromised, but they are a persistent mechanism for attacks and provide excellent access to the network.”

The hack runs as an operating system firmware update. Once it has been installed, Hau said the code is flexible, modular and upgradable and can be uploaded on the fly. He urged the IT security community to check enterprise network devices to ensure they had not been compromised.

The hack requires an intruder to gain logical access to the router with a valid administrator username and password. These credentials are then used to install the rogue firmware. Given the router needs to be accessed, the team at FireEye believes the router attack would be part of a wider targeted attack on a business.

Even if the wider attack is eventually blocked, if a network administrator’s details are compromised, the rogue firmware could be installed surreptitiously and would remain valid, leaving the organisation’s network wide open.

“People don’t change the default password on network equipment. When an attack occurs, they re-use credentials,” he said.

By not changing the passwords, this enables hackers to continue compromising the organisation’s routers. There is also a potential risk if equipment is acquired in the so-called grey market or second user market.

Read more about network security