SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks

September 15, 2015 - 14 Comments

Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.

Recently, the Cisco Product Security Incident Response Team (PSIRT) has alerted customers around the evolution of attacks against Cisco IOS Software platforms.

Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.

The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.

SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.

Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.


ios compromise

We thank Mandiant/FireEye for their focus on protecting our shared customers, and for adding their voice to calls for greater focus on network security.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. SYNful Knock Cisco Implant vulnerability is causing to all cisco devices at the moment or only ROUTERS

  2. Thanks for sharing Omar!

  3. Thanks for the great posts. I had the official report from FireEye and I am currently talking to clients and engineers about it. Thank you all.

  4. I think that everyone wants to carefully review their boot procedures, particularly as it relates to tftpboot scenarios and the security of remote tftp services and insure that if you receive a new device, particularly if you are unfamiliar with the reseller of the product, replace the boot image with a known good binary downloaded directly from cisco with hash analysis completed prior to install and operation.

  5. Hi

    Is there a version of the code this is happening on ie: 12.4



  6. How could the “malware overwrites several legitimate IOS functions with its own executable code.” in a compiled code?? Does that imply having access to the source code? Or reverse engineering the compiled code?

  7. The most important part about this vulnerability is the pre-requisite of “having the admin credentials”. So trust anchor is a great approach to ensure the SW (e.g. IOS) images are authentic and authorized.
    At the same time it would be good if trustcenter doc can provide more details per platform.

  8. Newer platforms support Cisco Trust Anchor Technologies.
    This provides the foundation for trustworthy systems across Cisco.
    The Cisco Trust Anchor and a Secure Boot check of signed images help ensure that the code running on Cisco hardware platforms is authentic and unmodified, establishing a hardware-level root of trust and an immutable device identity for the system to build on.
    For more information visit the following link:

  9. Until now, routers weren’t known to be vulnerable to outright takeover
    Security researchers say they have uncovered clandestine attacks across three continents on the routers that direct traffic around the internet, potentially allowing suspected cyberspies to harvest vast amounts of data while going undetected.

    In the attacks, a highly sophisticated form of malicious software, dubbed SYNful Knock, has been implanted in routers made by Cisco, the world’s top supplier, U.S. security research firm FireEye said on Tuesday.

    If you own (seize control of) the router, you own the data of all the companies and government organizations that sit behind that router.
    – Dave Dewalt, FireEye
    Routers are attractive to hackers because they operate outside the perimeter of firewalls, anti-virus, behavioural detection software and other security tools that organisations use to safeguard data traffic. Until now, they were considered vulnerable to sustained denial-of-service attacks using barrages of millions of packets of data, but not outright takeover.

  10. Check the MD5 of the image. It should be the same as the MD5 of the proper image downloadable from Cisco. If it does not have the right MD5, it could be imfected by malware or just be corrupted. In any case, replace the image and verify the MD5 upon installation.

    • in such sophisticated exploit file size and checksum are kept the same. Not a hard thing to do. Read ppublished info to see how sophisticated and stealthy the attack is.

      • Can you share some link that report evidence of exploit that keep file MD5 hash the same of original IOS (without compromising hash calculation command on the router)?
        Thank you.

    • The infected image is the one in the RAM, not EEPROM. The check you are suggesting is for the image in the EEPROM. Is there a way to check the MD5 of the image in the RAM, what could be infected with this “sinful-knock” code?