The security of our customers is critical, and when needed, we pull out all stops to protect them.

Cisco participates in a large ecosystem of partners, industry peers (yes, that includes competitors), and non-profits that provides insight and awareness into a multitude of security threats. We also have deep internal expertise. The Cisco Talos organization is focused on threat research and content for our security offerings, our Information Security teams protect Cisco’s own network, and our PSIRT organization delivers coordinated vulnerability management.

Together these teams and partners represent a powerful ally for Cisco customers, working around the clock to develop robust detections and protect the integrity of Cisco IOS devices.

Our Talos team, along with one of our ecosystem partners Shadowserver, have been scanning to detect potential exposure to the malware now known as SYNful Knock. Many of our enterprise and service provider customers have seen the increase in scanning from Shadowserver to detect the related Indicators of Compromise (IOCs).

Shadowserver has established reporting capabilities, and at our request, additional data will now be included for potential matches to the SYNful Knock IOCs. Existing ShadowServer customers will benefit from this additional reporting soon. If you are not currently receiving their reports, you can request service on their website.

We believe this activity supports Cisco efforts that are already underway to identify and alert customers to potential exposures. It adds to the conversations we’re having with customers about the need for broad-based risk assessment, containment, and remediation. Our focus is on the integrity of Cisco devices, for this set of IOCs and beyond.

You can read my earlier blog posts on this subject: SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks and SYNful Knock: Protect Your Credentials, Protect Your Network to obtain more information about protecting your credentials and infrastructure, as well about techniques for detecting and mitigating attacks against Cisco IOS Software.

We remain focused on leveraging the benefits of our extensive industry relationships for our customers, and sharing the information needed they need to respond to a changing threat landscape.

As a reminder, you can find more about Cisco’s response to SYNful Knock on our Event Response Page.


Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations