General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsRouter Hack Creates "Ultimate Listening Device" To Monitor A Country's Entire Internet Traffic
LONDON -- Malicious software that can infect the hardware that comprises much of the core architecture of the Internet has allowed hackers to create what has been dubbed the "ultimate listening device."
The software, the origin of which is not publicly known, targets routers, which control the flow of traffic on the Internet. The hack, which replaces the routers' native operating system, lets attackers silently monitor, reroute and copy all online communications passing through that device.
Dubbed Synful Knock by the researchers at Mandiant, who revealed the situation Tuesday, it has so far been shown to be exploited in the wild only on Cisco Systems Inc. routers in four countries -- Mexico, Ukraine, Phillipines, and India.
"We have only been able to prove its existence in the wild for actual attacks on Cisco routers, but we actually believe that Huawei routers or Juniper routers have the same vulnerabilities and ultimately can be exploited in a similar way. The mass of the router architecture of the world is at risk," Dave DeWalt, the CEO of security company FireEye Inc. which owns Mandiant, told International Business Times.
http://www.ibtimes.com/router-hack-creates-ultimate-listening-device-monitor-countrys-entire-internet-2097511
gordianot
(15,238 posts)snooper2
(30,151 posts)Amazingly, Carriers and operators of telecom networks don't publicly announce bugs or issues, they work directly with their vendors. I'm sure the first couple production cases went straight to the Cisco TAC.
You have to have admin rights on the router and run through the IOS upgrade process. If somebody is stupid enough to have a security hole that big in their network since they aren't running radius or TACACS they deserve to be hacked
Security Activity Bulletin
Evolution in Attacks Against Cisco IOS Software Platforms
Threat Type: IntelliShield: Security Activity Bulletin
IntelliShield ID: 40411
Version: 1
First Published: 2015 August 11 18:17 GMT
Last Published: 2015 August 11 18:17 GMT
Port: Not available
Urgency: Possible use Urgency: 1-Weakness 2-Unlikely Use 3-Possible Use 4-Probable Use 5-Incidents Reported
Credibility: Confirmed Credibility: 1-Very Low 2-Low 3-Corroborated 4-Highly Credible 5-Confirmed
Severity: Mild Damage Severity: 1-No Damage 2-Harassment 3-Mild Damage 4-Moderate Damage 5-Heavy Damage
Version Summary: Cisco PSIRT has released information regarding increasingly complex attacks against platforms running Cisco IOS Software.
Description
Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image.
In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.
No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned.
The Cisco PSIRT has recently updated a number of technical documents to include information regarding the ROMMON attack as well as other threats to Cisco IOS devices. The following white papers are publicly available and provide information for preventing, detecting, and remediating potential compromise on Cisco IOS devices.
Cisco IOS Software Integrity Assurance
Cisco Guide to Harden IOS Devices
Telemetry-Based Infrastructure Device Integrity Monitoring
Cisco recommends users of Cisco IOS devices review these documents to understand the types of threats against Cisco IOS devices. Cisco also recommends users ensure operational procedures include methods for preventing and detecting compromise.
For help with implementing any of the recommendations in the documents, customers should contact their appropriate support organization.
We request your assistance by distributing this information to your constituent organizations to raise awareness about the evolution of threats against Cisco IOS devices.
For questions regarding information in the above documents, contact psirt@cisco.com.
Alert History
Initial Release
http://tools.cisco.com/security/center/viewAlert.x?alertId=40411
IDemo
(16,926 posts)Because the issue is partly down to the way the Internet is built, fixing the problem is going to be all but impossible, according to FireEye's CEO:
"We need an Internet reboot. We need to re-image the operating systems of the routers in the world. We have to reset the encryption capabilities on the routers. And we have to reset the passcodes and authentication of all the routers -- and of course doing that is a pretty mammoth task."
snooper2
(30,151 posts)LOL
https://www.fireeye.com/products.html
FireEye cyber security products combat today's advanced persistent threats (APTs). As an integral piece of an Adaptive Defense strategy, our state-of-the-art network security offerings protect against cyber attacks that bypass traditional signature-based tools such as antivirus software, next-generation firewalls, and sandbox tools. View the FireEye Corporate Brochure to learn more about our offerings.
I wouldn't actually expect useful input from the operators of a dental practice or dairy farm on internet security. That they have a business interest here is inarguable but doesn't necessarily make their opinion invalid.
ancianita
(36,080 posts)Should I even say that one of my sons works for them. The company's in CA, meets yearly in Vegas.
emsimon33
(3,128 posts)To continue to spy on us.