Cisco will provide additional updates on this Event Response Page as they become available.
What is SYNful Knock?
SYNful Knock is a type of persistent malware that allows an attacker to gain control of a device and compromise its integrity with a modified Cisco IOS Software image. The malware has different modules that are enabled via the HTTP protocol (not HTTPS) and controlled by crafted TCP packets sent to the device.
The Cisco Product Security Incident Response Team (PSIRT) worked with Mandiant and determined that no product vulnerabilities are used in this attack, and that an attacker requires valid administrative credentials or physical access to the device for a successful compromise.
Mandiantís research focuses on a specific example of malicious software. However, Cisco believes that SYNful Knock is an example of an evolution of attacks against networking devices. Attackers are no longer focusing just on disruption, but on persistent attacks achieved through compromised credentials. A previous security bulletin for our customers about this evolution was posted on August 11, 2015: Evolution in Attacks Against Cisco IOS Software Platforms.
Detecting SYNful Knock
To coincide with the public disclosure of SYNful Knock, Cisco Talos published Snort Rule SID:36054 (in the malware-cnc.rules policy) to help detect devices manifesting related behaviors.
Cisco Security Content
The following content has been published specifically to address the SYNful Knock malware. Additional content will be provided as it becomes available.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.