SYNful Knock is a type of persistent malware that allows an attacker to gain control of a device and compromise its integrity with a modified Cisco IOS Software image. The malware has different modules that are enabled via the HTTP protocol (not HTTPS) and controlled by crafted TCP packets sent to the device.
The Cisco Product Security Incident Response Team (PSIRT) worked with Mandiant and determined that no product vulnerabilities are used in this attack, and that an attacker requires valid administrative credentials or physical access to the device for a successful compromise.
Mandiant’s research focuses on a specific example of malicious software. However, Cisco believes that SYNful Knock is an example of an evolution of attacks against networking devices. Attackers are no longer focusing just on disruption, but on persistent attacks achieved through compromised credentials. A previous security bulletin for our customers about this evolution was posted on August 11, 2015: Evolution in Attacks Against Cisco IOS Software Platforms.
To coincide with the public disclosure of SYNful Knock, Cisco Talos published Snort Rule SID:36054 (in the malware-cnc.rules policy) to help detect devices manifesting related behaviors.
Cisco Security Content
The following content has been published specifically to address the SYNful Knock malware. Additional content will be provided as it becomes available.
Blogs and Multimedia
Best Practices and Technical Guidance
Product Integrity and Trust