Hundreds Of Cisco Routers Infected With 'SYNful Knock'; Partners Say Attack Changing Sales Strategy

The number of infected Cisco routers continues to climb as researchers have now discovered nearly 200 IP addresses in more than 30 countries that have been attacked through installed malicious firmware known as SYNful Knock, far outweighing the 14 infected routers FireEye initially reported last week.

Cisco partners said the increase of known SYNful Knock attacks on routers won't affect Cisco sales, but will impact how the channel sells to customers.

"This is not a problem for the channel in terms of sales. What the problem is for the channel is it's going to delay sales of your traditional router technology because customers are now rethinking how they deploy everything on the network edge," said a top executive solution provider and Cisco Gold partner, who declined to be identified.

[Related: Partners Welcome Cisco Back To The SMB Market With New Mobility Solution Managed On Apple, Android App]

Sponsored post

Mandiant, a subsidiary of FireEye, confirmed in a blog post last week that it found 14 instances where malicious software had been implanted into Cisco routers. A Cisco spokesperson told CRN the hackers stole valid network administration credentials or were able to gain physical access to the routers themselves in order to install the malware. The router implant gives attackers back-door access that can persist across reboots.

The San Jose, Calif.-based networking giant has since teamed up with cybercrime specialist and ecosystem partner the Shadowserver Foundation and discovered that 199 unique IP addresses have been attacked by SYNful Knock in 31 countries as of Monday.

"It is important to stress the severity of this malicious activity," said Shadowserver in a blog post on Monday. "Compromised routers should be identified and remediated as a top priority."

The U.S. has the largest number of infected routers at 65, followed by India with 12, Russia at 11, 9 in Poland and 8 in China, according to Shadowserver. Cisco confirmed to CRN that the three models of routers that are known to be infected -- 1841, 2811 and 3825 -- are no longer available and haven't been sold for "several years." Hardware support for those routers will end next month, according to Cisco.

"This isn't a vulnerability in our technology," said a Cisco spokesperson. "This is a new type of threat that people didn't think was possible in the past, and part of the defense against it is really about best practices."

"We're reinforcing with our account teams how important it is to educate customers about best practices and offer guidance. So it's not about selling Cisco gear; we're actually asking our sales teams to go out and help our customers make sure they're protecting their own network with the tools that are already available," said the spokesperson.

Partners said the channel needs to take a similar approach when dealing with customers to fully understand a client's internal network, architecture and security in order to prevent future attacks.

"As a channel partner, we can no longer just walk in and say, 'Here's our connect group, and go deploy those routers,'" said Jamie Shepard, senior vice president of strategy and health care at Lumenate, a Dallas-based solution provider and Cisco partner. "You want to go in there and talk to the security guys, learn about the customers' architecture ... We are seeing purchase orders being delayed by doing this, but they are getting bigger because we have a more consultative approach."

Solution providers agreed there needs to be more of a consultative approach to sales to understand the customers' internal technology and architecture, which will help prevent security breaches. In addition, partners said hackers are successfully going after older legacy equipment, like the Cisco routers, because customers are focusing on deploying new cloud technology without tying up the loose ends on the older equipment.

"This SYNful Knock is just a matter of some of this legacy equipment that doesn't fully integrate with the new processes, and people are going after those vulnerabilities," said the Cisco Gold partner. "Partners and the channel, as a whole, you could say has to become more valuable to their customers by getting to know them better internally."

Cisco said it is offering customers guidance specifically on SYNful Knock about how to prevent, detect and remediate the issue, including a "Snort Rule" that assesses a customer's network to determine if they are at risk or have been compromised.