It's unlikely the routers that got exploited were the initial entry point of the attack. The chain of events can look like this: spearfishing email with exploit laden attachment end user opens attachment, internal windows endpoint compromised malware makes outbound connection to command & control server on internet; downloads more horrible stuff threat actor has access to windows endpoint via reverse tunnel threat actor makes lateral attacks to other windows endpoints; key loggers installed threat actor attacks windows AD servers threat actor achieves domain admin; and/or harvests user credentials via keyloggers threat actor connects via vpn using harvested user credentials At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legit credentials. When the compromise becomes advanced enough the malware stops being used, and everything is done via legit credentials, which makes the badness more difficult to distinguish. Part 2 of the Mandiant blog is up, it discusses detection, and seems to reinforce these are backdoored IOS images, and not ROMMON. Although given the Cisco PSIRT post about backdoored ROMMON recently, there's probably multiple attack trends going on concurrently. https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis0.ht... On Wed, Sep 16, 2015 at 2:27 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 16 Sep 2015, at 11:51, Paul Ferguson wrote:
Please bear in mind hat the attacker *must* acquire credentials to access
the box before exploitation.
And must have access to the box in order to utilize said credentials - which of course, there are BCPs intended to prevent same.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>