Network device exploitation: An attractive target

Recent attacks have shown how enterprise network devices are becoming an increasingly popular attack vector, but how can they be defended?

Enterprise network devices, such as routers, firewalls, and switches, form the backbone of modern IT systems, typically holding a trusted position and being able to see sensitive network data. In most cases, they control network segregation and implement network security policies. Recent attacks have shown how these privileged devices are becoming an increasingly popular attack vector, as attackers who are able to compromise network hardware are able to assume a privileged network role and maintain persistence.

Exploitation of enterprise hardware is the domain of APTs and nation states and as such these attacks, while uncommon, are sophisticated, devastating, and poorly documented.

Below are three case studies of real world network device exploitation, as well as prevention and detection strategies.

  • The Equation Group (EG) actor has been linked to the JETPLOW and BANANAGLEE toolkits. These allow for the persistent compromise of Cisco PIX and ASA security devices, through the modification of existing firmware. EG are reported to have a similar toolkit for use against Juniper security devices that communicates with an external command and control server, and is reported to have the advanced ability of surviving even firmware upgrades. While leaks have shown EG have access to zero day exploits, the JETPLOW and BANANGLEE attack tools are also able to take advantage of weak configuration and otherwise known credentials.
  • The Vault7 leak of the CIA’s CherryBlossom framework shows how it is possible for a skilled attacker, such as a nation state, to compromise both enterprise and domestic wireless routers. Cherry Blossom provides the capability to remotely control the exploited device, or perform a number of attacks such as alerting the operator to the presence of a target, recording network traffic, or delivering exploits to WiFi users. It also communicates over the internet to centralized command and control servers.
  • SYNful Knock, of unknown origin, modifies the existing Cisco IOS software installation, allowing it to persist after the device is rebooted. It waits for specific commands from an external server, rather than sending by default unprompted communications to a command and control server, making it difficult to detect with network monitoring. Once a session is started by the remote control server, additional modules can be loaded to execute a range of attacks.


Using the above case studies, it is possible to provide advice on the best ways to prevent the infection of enterprise network devices. The leak of the Equation Group toolkits indicates an exploit called “EXTRA BACON” is used for the initial infection, which gives attackers remote control of the target router, provided they have some valid network monitoring credentials. CherryBlossom and SYNful Knock require that an attacker gains initial access through some other means. As such, it is important to assume that any single network device or user can at any time be compromised, either through advanced exploitation techniques or simple attacks such as guessing weak credentials. It can also be seen that, even against a nation state adversary with access to zero day vulnerabilities, typical security advice is still highly relevant. In particular, the following points will help prevent the exploitation of network devices:

  • Install network hardware that makes use of code signing and secure boot functionality, which prevents the running of malicious code. Ensure that network admins understand how these mechanisms fail when under attack.
  • Update software, including device firmware, in a timely manner to ensure patches to known vulnerabilities are applied.
  • In particularly sensitive environments, consider utilizing devices from multiple vendors to reduce the utility of an exploit that works against a particular product range.
  • Prevent and audit the use of weak or default credentials throughout the network.
  • Restrict network access as much as possible and ensure administrative interfaces cannot be accessed from the internet.


However, even the most extensive preventative measures might not always be enough to keep you safe. Given the increasing popularity of network device exploitation, as well as the sophistication and funding available to some attackers, it is prudent to assume that a compromise of network devices is likely. A robust security model that implements a defense-in-depth approach should include detection methods and incident response. Detection is possible by monitoring traffic to and from network devices and raising alerts on unusual behavior; the boundary between network sections is of particular note as deviations from normal traffic should be simpler to detect.

In the case studies presented, the Equation Group and Cherry Blossom attacks both communicated outward to command and control services. Such communications from routers are atypical and should be regarded with suspicion.

Access to administrative services on the network device from unusual sources is another example of suspicious behavior. It is important to test the detection capability through attack simulation; detection successes and failures can be used to tune the capability. A robust incident response plan will assist the victim in understanding attacks once they have been detected and taking appropriate remedial action.

Network device exploitation, while once a theoretical attack, is beginning to present a realistic threat. While evidence suggests it is currently the domain of APTs and nation states, it is likely to become more widely used, as has historically been seen with most offensive techniques. Prevention techniques can be used to reduce the risk of exploitation, but a robust detection and response capability is also recommended.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.