In so many parts of life, the passing of time is a benefit. Wine and whisky mature, intelligence is gained, and friendships grow stronger. For those of us working in IT security, however, the passing of time brings new challenges. Prolonging the use of older technology exponentially increases risk and the resulting problems can cost more than recommended maintenance/upgrades.
Let’s consider three facts:
Fact 1: IT is fundamental to the economy, safety, health, and well-being of the world’s societies. Today’s IT systems support everything from advanced medical research to a country’s economic growth.
Fact 2: Attacks on IT will continue to evolve in terms of efficiency, complexity, and deviousness. The need for better prevention, detection, and remediation recovery from cyber attacks continues to grow.
Fact 3: IT devices are developed to perform securely within the known constraints and challenges of their launch environment, with flexibility for some upgrades. But at some point, all technology reaches a lifecycle limit. Quite often that limit is less about the device’s ability to “just power up” and more about it doing so securely.
Consider these facts together and what is the conclusion?
This attack isn’t caused by a problem or vulnerability with a Cisco product. It results from an attacker stealing administrative credentials or getting physical access to a networking device, allowing them to load a modified version of operating system software.
Just as technology advances, so too do the nature and sophistication of attacks. Although Mandiant’s research focuses on a specific piece of malware, we believe that it is an example of an evolution of attacks. Attackers are no longer focusing just on disruption, but on compromising credentials to launch an undetected and persistent attack.
For many years we’ve known that networking devices and their credentials are high-value targets for attackers. There has always been a need to protect them accordingly. This was something we reinforced last month in this security bulletin: Evolution in Attacks Against Cisco IOS Software Platforms
We know this is an important topic for our customers, so have created an on-demand webcast outlining how to detect and remediate this type of attack:
The webcast also continues the conversation about good operating procedures, like network hardening and monitoring, that can help prevent this type of attack. The resources it describes can also be found on our Event Response Page.
If you have any additional questions about SYNful Knock, including how we can help implement some of these recommendations, please speak with your Cisco account manager.
If you are experiencing immediate technical challenges and require support, the Cisco Technical Assistance Center (TAC) is here to help.
And if you’re a member of the press with questions, please contact my PR friends at email@example.com.
This post is officially my first after coming over as part of the Cisco acquisition of OpenDNS. Since 2012, I’ve served as the CTO and am proud to be part of an incredible research team, OpenDNS Labs. Like the Talos Research Group we are focused on detecting and preventing threats that help protect our customers globally. We are uniquely positioned to do this through statistical models and classification techniques that are fueled by our satellite view of the Internet’s infrastructure with more than 80 Billion active DNS queries per day.
Today I’d like to share some of our research that we recently published around combining classification models together to better predict, and therefore prevent phishing and targeted attacks. In this post we discuss how we can combine two of our classifiers; NLP Rank and Traffic Spikes to predict malicious domains. Additionally we highlight the value of data visualizations with OpenGraphiti.
While the blog only highlighted some of our capabilities with OpenGraphiti, I recorded a short video of the tool in action below. This video demonstrates how we not only can ingest the data but also digest it visually — enabling incident response teams to pivot through the attackers infrastructure in a way that is difficult in a textual format. The visualization shows the relationships between the top-level host with all the associated fake sites that are associated and identified with NLP Rank. Note: There is no audio.
We at OpenDNS are extremely excited about being part of Cisco and look forward to sharing more of our incredible technology, research, and data moving forward.
Defining what is malware relies on determining when undesirable behavior crosses the line from benign to clearly unwanted. The lack of a single standard regarding what is and what is not acceptable behavior has established a murky gray area and vendors have taken advantage of this to push the limits of acceptable behavior. The “Infinity Popup Toolkit” is a prime example of software that falls into this gray area by bypassing browser pop-up blocking, but otherwise exhibits no other unwanted behavior. After analyzing the toolkit, Talos determined that software exhibiting this type of unwanted behavior should be considered malware and this post will provide our reasoning.
Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware.
There is more to unwanted software than just browser toolbars or widgets. Suppose a piece of software exhibits the following characteristics. Would this be considered malware?
The user was not given a choice whether or not to execute this piece of software.
The software was designed to specifically bypass browser security and privacy controls using clickjacking techniques.
The software avoids detection by encrypting portions of its payload.
Extensive fingerprinting (browser, plugins, operating system, and device type) takes place and sent to a third party without user consent.
Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.
Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.
The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.
SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.
Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.
Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.