Nearly 200 Cisco routers infected with SYNful Knock
Cisco and ecosystem partner Shadowserver have so far detected nearly 199 routers compromised with the SYNful Knock malware, but Australia has so far escaped infection.
Security intelligence provider Shadowserver revealed on its blog that the two companies have so far identified 199 unique IP addresses matching SYNful Knock behaviour.
SYNful Knock is a router implant designed to replace router firmware with rogue firmware that gives attackers backdoor access to affected devices, even across equipment reboots.
The malware was originally discovered by Mandiant’s FireEye and detected on an initial 14 routers in four countries.
As of an analysis conducted on Sunday, there have now been potential SYNful Knock detections in 31 countries, Shadowserver said. The largest number of compromised routers are in the US (65), followed by India (12) and the Russian Federation (11).
“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said in the blog post.
To help avoid infection, Cisco is recommending that enterprises take steps to harden Cisco devices against attacks; implement instrument-based network and device integrity monitoring; and monitor their networks for SYNful knock activity.
Emergency onboarding: what to do before and after a data breach
Organisations that have an emergency onboarding plan are better positioned to have their business...
Savvy directors are demanding more points of proof when cyber incidents occur
Pre-agreement on what a post-incident forensics effort should produce — and testing it out...
Cyber-attack prevention is better than a cure
Corporate and political decision-makers need to invest in areas that do a better job of...
