Synful Knock questions...
Michael Douglas
Michael.Douglas at IEEE.org
Wed Sep 16 14:00:52 UTC 2015
It's unlikely the routers that got exploited were the initial entry point
of the attack. The chain of events can look like this:
spearfishing email with exploit laden attachment
end user opens attachment, internal windows endpoint compromised
malware makes outbound connection to command & control server on internet;
downloads more horrible stuff
threat actor has access to windows endpoint via reverse tunnel
threat actor makes lateral attacks to other windows endpoints; key loggers
installed
threat actor attacks windows AD servers
threat actor achieves domain admin; and/or harvests user credentials via
keyloggers
threat actor connects via vpn using harvested user credentials
At this point when they start messing around with routers, you're going to
see activity coming from the intended internal management range using legit
credentials. When the compromise becomes advanced enough the malware stops
being used, and everything is done via legit credentials, which makes the
badness more difficult to distinguish.
Part 2 of the Mandiant blog is up, it discusses detection, and seems to
reinforce these are backdoored IOS images, and not ROMMON. Although given
the Cisco PSIRT post about backdoored ROMMON recently, there's probably
multiple attack trends going on concurrently.
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis0.html
On Wed, Sep 16, 2015 at 2:27 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>
> On 16 Sep 2015, at 11:51, Paul Ferguson wrote:
>
> Please bear in mind hat the attacker *must* acquire credentials to access
>> the box before exploitation.
>>
>
> And must have access to the box in order to utilize said credentials -
> which of course, there are BCPs intended to prevent same.
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
>
More information about the NANOG
mailing list