NCSC Security Advisory - NCSC-ADV-2015-127


This week Mandiant published a report on the security of internet facing routers entitled “SYNful Knock”. It is important not to forget this aspect of corporate network security as, if an actor gains access to this equipment, they could completely bypass other intrusion prevention/detection systems on the network. This could include routing other malicious traffic across your router (including malware) and accessing your information by viewing or diverting network traffic. Mandiant use the analogy of spending all your efforts defending a castle with high walls and top grade weaponry only to have the attackers undermine the foundations. Where the majority of attacks would focus on the application layer, this form of attack is a direct assault on the network layer.

SYNful Knock

The Mandiant report below describes a specific example of a router exploitation capability that the company has been investigating. In very basic terms, the actors appear to be using default, simple, or easily guessed passwords to access particular models of Cisco routers and then replacing the machines’ operating system software (firmware) with a malicious version. Detailed advice on detecting and mitigating this particular attack can be found in their report. 

General mitigation

There are several important factors to consider when setting up a new router, or examining the security of existing equipment. Some of the points to consider are:

  • Changing all default usernames and passwords – many manufacturers set default credentials for these devices at the factory but are readily available for an attacker to find online; use strong passwords that are changed regularly; and do not re-use credentials across your estate.
  • Keep firmware up to date – check for new versions on a regular basis and ensure that verified versions of this critical software are sourced from trusted providers.
  • Disable remote management of the router across the internet, including the remote upgrade functionality, where possible; otherwise manage, maintain and monitor remote accesses to the router and do not forget to log out after configuring the router.
  • Disable unnecessary services – disable all unnecessary services to reduce the router’s exposure.
  • Enable router logging and review regularly information regarding intrusions, probes attacks etc. and ensure that the router’s real time clock is set correctly to assist with later log analysis.
  • If there is an owner’s mailing list for your router equipment, register for alerts on new vulnerabilities.

For routers that have wireless access available:

  • Do not use default SSID values as this may release information that allows an attacker to easily identify the type of router in use.
  • Ensure the best level of security is in use (WPA2-AES).
  • Restrict the range of a wireless network so that it does not extend beyond your premises.