Network device exploitation: an attractive target

August, 2017
5 mins read

Exploitation of enterprise hardware is the domain of APTs and nation states and as such these attacks, while uncommon, are sophisticated, devastating, and poorly documented.

Below are three case studies of real-world network device exploitation, as well as prevention and detection strategies.

  • The Equation Group (EG) actor has been linked to the JETPLOW and BANANAGLEE toolkits. These allow for the persistent compromise of Cisco PIX and ASA security devices, through the modification of existing firmware. EG are reported to have a similar toolkit for use against Juniper security devices that communicates with an external command and control server and is reported to have the advanced ability of surviving even firmware upgrades. While leaks have shown EG have access to zero-day exploits, the JETPLOW and BANANGLEE attack tools are also able to take advantage of weak configuration and otherwise known credentials.
  • The Vault7 leak of the CIA’s CherryBlossom framework shows how it is possible for a skilled attacker, such as a nation state, to compromise both enterprise and domestic wireless routers. Cherry Blossom provides the capability to remotely control the exploited device, or perform a number of attacks such as alerting the operator to the presence of a target, recording network traffic, or delivering exploits to WiFi users. It also communicates over the internet to centralized command and control servers.
  • SYNful Knock, of unknown origin, modifies the existing Cisco IOS software installation, allowing it to persist after the device is rebooted. It waits for specific commands from an external server, rather than sending by default unprompted communications to a command and control server, making it difficult to detect with network monitoring. Once a session is started by the remote-control server, additional modules can be loaded to execute a range of attacks.



Using the above case studies, it is possible to provide advice on the best ways to prevent the infection of enterprise network devices. The leak of the Equation Group toolkits indicates an exploit called “EXTRA BACON” is used for the initial infection, which gives attackers remote control of the target router, provided they have some valid network monitoring credentials. CherryBlossom and SYNful Knock require that an attacker gains initial access through some other means. As such, it is important to assume that any single network device or user can at any time be compromised, either through advanced exploitation techniques or simple attacks such as guessing weak credentials. It can also be seen that, even against a nation state adversary with access to zero-day vulnerabilities, typical security advice is still highly relevant. In particular, the following points will help prevent the exploitation of network devices:

  • Install network hardware that makes use of code signing and secure boot functionality, which prevents the running of malicious code. Ensure that network admins understand how these mechanisms fail when under attack.
  • Update software, including device firmware, in a timely manner to ensure patches to known vulnerabilities are applied.
  • In particularly sensitive environments, consider utilizing devices from multiple vendors to reduce the utility of an exploit that works against a particular product range.
  • Prevent and audit the use of weak or default credentials throughout the network.
  • Restrict network access as much as possible and ensure administrative interfaces cannot be accessed from the internet.



However, even the most extensive preventative measures might not always be enough to keep you safe. Given the increasing popularity of network device exploitation, as well as the sophistication and funding available to some attackers, it is prudent to assume that a compromise of network devices is likely. A robust security model that implements a defense-in-depth approach should include detection methods and incident response. Detection is possible by monitoring traffic to and from network devices and raising alerts on unusual behavior; the boundary between network sections is of particular note as deviations from normal traffic should be simpler to detect.


In the case studies presented, the Equation Group and Cherry Blossom attacks both communicated outward to command and control services. Such communications from routers are atypical and should be regarded with suspicion. Access to administrative services on the network device from unusual sources is another example of suspicious behavior. It is important to test the detection capability through attack simulation; detection successes and failures can be used to tune the capability. A robust incident response plan will assist the victim in understanding attacks once they have been detected and taking appropriate remedial action.


Network device exploitation, while once a theoretical attack, is beginning to present a realistic threat. While evidence suggests it is currently the domain of APTs and nation states, it is likely to become more widely used, as has historically been seen with most offensive techniques. Prevention techniques can be used to reduce the risk of exploitation, but a robust detection and response capability is also recommended.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs