This post was authored by William McVey.
Update 9/23: We updated the tool to version 1.0.1
Talos is constantly researching the ways in which threat actors are evolving to exploit systems. Recently, a piece of persistent malware coined as “SYNful Knock” was discovered on Cisco routers. While this malware attack is not a vulnerability, as it had to be installed by someone using valid credentials or who had physical access to the device, Cisco has published an Event Response Page for customers to provide the information needed to detect and remediate these types of attacks. We are also working with partners to identify compromised systems.
The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT worked with internal teams and customers to acquire copies of the malware. Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware.
Note: This tool can only detect hosts responding to the malware “knock” as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.
By the time entries were closed two weeks ago (Sept. 7), we had received more than 3,000 entries in more than 100 countries from startups, incubators, entrepreneurs and independent developers. That’s three times the number of submissions as the first year of the competition and more than all four of our annual Grand Challenges combined. The top 10 countries with the most entries reflect the geographic scope and diversity of IoT innovation: United States, India, Australia, Canada, United Kingdom, Spain, Germany, Mexico, the Russia, and Indonesia.
