Nearly 200 Cisco routers infected with SYNful Knock
Cisco and ecosystem partner Shadowserver have so far detected nearly 199 routers compromised with the SYNful Knock malware, but Australia has so far escaped infection.
Security intelligence provider Shadowserver revealed on its blog that the two companies have so far identified 199 unique IP addresses matching SYNful Knock behaviour.
SYNful Knock is a router implant designed to replace router firmware with rogue firmware that gives attackers backdoor access to affected devices, even across equipment reboots.
The malware was originally discovered by Mandiant’s FireEye and detected on an initial 14 routers in four countries.
As of an analysis conducted on Sunday, there have now been potential SYNful Knock detections in 31 countries, Shadowserver said. The largest number of compromised routers are in the US (65), followed by India (12) and the Russian Federation (11).
“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said in the blog post.
To help avoid infection, Cisco is recommending that enterprises take steps to harden Cisco devices against attacks; implement instrument-based network and device integrity monitoring; and monitor their networks for SYNful knock activity.
How the explosion of non-human identities is changing cybersecurity
A surge in machine-to-machine communication and non-human...
Building stronger critical infrastructure with Zero Trust
Zero Trust provides a way to stay ahead of cyber attacks by assuming breaches will happen and...
Happy birthday, Active Directory!
Active Directory is a technology that has proved its staying power and has shaped enterprise IT...
