& Component Firmware

From ema
Jump to navigation Jump to search
EMA ID: ema-1033
Description: Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor.

The implant resides within a modified Cisco IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. However, any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after reboot. Known Affected Hardware:

  • Cisco 1841 router
  • Cisco 2811 router
  • Cisco 3825 router

Associated Capabilities/Subcapabilities: Capability.png Persistence

Notes: SYNful Knock (9/2015)

http://www.scmagazineuk.com/new-malware-discovered-internationally-on-14-cisco-routers/article/439114/ https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html

Associated With & Component Firmware
No results