Scan of IPv4 Space for ‘Implanted’ Cisco Routers Finds Fewer Than 100

A day after researchers detailed a technique that attackers are using to upload malicious firmware images to Cisco routers, academic researchers say they have scanned the entire IPv4 address space and discovered a total of 79 likely compromised routers.

The researchers at the University of Michigan used their Zmap tool, which can scan the Internet in about 45 minutes, to look for routers that contain the malicious IOS image being used by the attackers. They discovered 25 compromised routers in the United States, all of which belong to one ISP on the east coast.

Researchers at FireEye on Tuesday said that they had observed attackers taking advantage of default or stolen credentials in order to gain access to Cisco routers and then upload a modified IOS firmware image that includes a backdoor. The attackers then can connect to the compromised routers and install further attack modules.

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface,” an analysis of the technique by Bill Hau and Tony Lee of FireEye says.

The malicious firmware has a unique fingerprint, and so the Zmap team–which comprises researchers from Michigan, UC Berkeley and the International Computer Science Institute–ran several separate scans of the IPv4 address space Tuesday to see what they could find. They found a total of 79 routers with the compromised firmware, spread around the world.

“These routers belong to a range of institutions in 19 countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the 25 hosts in the United States belong to a single Internet service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa,” the Zmap researchers wrote in a post about the scan.

The attackers who are compromising the Cisco routers connect to them using specially crafted TCP handshake packets, and the Zmap researchers used the same technique but stopped short of attempting to login or complete the handshake. Instead, they closed the connection after receiving the response that indicates whether a router has been compromised or is clean.

Suggested articles