Malicious SYNful Cisco router implant found on more devices around the globe

“After FireEye researchers published on Tuesday their discovery of 14 Cisco routers in India, Mexico, Philippines and Ukraine that have been implanted with a modified, malicious Cisco IOS image, another group of researchers has decided to scan the public IPv4 address space for other affected devices.

“The implant is fingerprintable and we are able to scan for infected servers without invoking the vulnerability by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found 79 hosts displaying behavior consistent with the SYNful Knock implant,” they shared their results.

Here’s the rundown of the affected devices according to location:

What’s interesting is that all the 25 hosts affected in the US belong to a single service provider on the East Coast, and those in Germany and Lebanon to a satellite provider that provides coverage to Africa.

“We searched for SYN packets that would have triggered the backdoor in the past thirty days of historical network traffic captured from a /14 (~262K addresses) network telescope. We find no evidence of scanning prior to public disclosure. While this does not preclude any targeted attacks, we find no historical Internet-wide scanning for the exploit during this time,” they added.

It’s also difficult to tell which individual or group might be wielding the SYNful Knock implant.

While they are trying to contact and warn the organizations whose hosts have been compromised, FireEye has detailed several ways how organizations can check whether they have been affected.”