Avatar

Interest in IT security has never been higher. So when a new type of attack comes along, it attracts the attention of our customers and others in the industry.

Earlier this week Cisco and Mandiant/Fireye released information about the so-called SYNful Knock malware found on Cisco networking devices. You can read my earlier blog on this subject here: SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks.

This attack isn’t caused by a problem or vulnerability with a Cisco product. It results from an attacker stealing administrative credentials or getting physical access to a networking device, allowing them to load a modified version of operating system software.

Just as technology advances, so too do the nature and sophistication of attacks. Although Mandiant’s research focuses on a specific piece of malware, we believe that it is an example of an evolution of attacks. Attackers are no longer focusing just on disruption, but on compromising credentials to launch an undetected and persistent attack.

For many years we’ve known that networking devices and their credentials are high-value targets for attackers. There has always been a need to protect them accordingly. This was something we reinforced last month in this security bulletin: Evolution in Attacks Against Cisco IOS Software Platforms

We know this is an important topic for our customers, so have created an on-demand webcast outlining how to detect and remediate this type of attack:

https://youtube.com/watch?v=KlcpPpHEfYg+

 

The webcast also continues the conversation about good operating procedures, like network hardening and monitoring, that can help prevent this type of attack. The resources it describes can also be found on our Event Response Page.

If you have any additional questions about SYNful Knock, including how we can help implement some of these recommendations, please speak with your Cisco account manager.

If you are experiencing immediate technical challenges and require support, the Cisco Technical Assistance Center (TAC) is here to help.

And if you’re a member of the press with questions, please contact my PR friends at media_pr@cisco.com.



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations