Dubbed SYNFul Knock, the implant is “a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network,” according to Bill Hau and Tony Lee at FireEye.
The firmware of a router is the factory-loaded software program that runs all functions of connecting local computers to the Internet so they can send and receive data. By compromising the router’s firmware, the malware loads the moment the router is turned on, and thus the malicious actor using the malware can have total access to the target.
“If you own the router, you own the data of all the companies and government organizations that sit behind that router,” FireEye CEO Dave Dewalt told Reuters. “This is the ultimate spying tool, the ultimate corporate espionage tool, the ultimate cybercrime tool.”
Resetting won’t do anything to won’t help an infected router. Only re-imaging the firmware onto the router can possibly wipe away SYNFul Knock — a laborious, specialized process. For a home use router, you might be better off throwing out the router and buying a new one.
Routers are a particularly juicy target for hackers because they connect computers to networks, and operate beyond firewalls and threat mitigation software. Researchers previously believed router implants as malware to be only hypothetical in nature, thus leaving denial-of-service attacks with flooded packets as the primary threat. The confirmation of router-hijacking malware in the wild means this kind of attack is expected to become a primary cyberweapon for espionage.
Found on routers in India, Mexico, the Philippines and Ukraine, the malware is believed by experts from FireEye’s forensics division Mandiant to be so complex and powerful that it could only have been created by a handful of nation-state actors with extensive expertise and resources in cyberintelligence. DeWalt declined to name which countries he suspected were behind the attacks.
Cisco Networks confirmed it notified customers of the attacks last month, and that they were not due to a software vulnerability. Instead, attackers stole network credentials from targeted organizations. So, for example, a password cracking tool used on a Cisco router with a relatively weak password could have netted the attackers access to organizations they were targeting to implant SYNFul Knock.
DeWalt notes that while FireEye observed the malware specifically on Cisco router models 1841, 2811 and 3825, SYNFul Knock or a similar variant has likely hit routers from other manufacturers.