Malicious Firmware Hits Cisco Customers

Hackers are a unique breed. Their ability to learn, adapt and continue infecting devices is truly impressive. It seems as though before security firms find a solution to the latest attacks, the hackers are already breaking the new code.

One of the latest attacks was reported earlier this week by Cisco (News - Alert), which is warning its enterprise customers about a recent spike in attacks. In this case, Cisco sent out the following advisory; “Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image.”

It seems that the hackers were able to use valid credentials on IOS devices to log in as administrators and then upload malicious ROMMON images to take control of the devices. ROMMON, or ROM Monitor, which is also known as a bootstrap program is essentially a mini operating system in the Cisco devices that helps to initialize the processor hardware and boot the operating system software (Cisco IOS).

IOS runs on most Cisco routers and switches providing a complex set of networking tools and features. Somehow the hackers were able to acquire valid administrative credentials giving them the access needed to replace the ROMMON image on IOS devices. The problem that Cisco faces is that no one knows how the administrative credentials were obtained.

The advisory bulletin continued to say, “The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. Cisco also recommends users ensure operational procedures include methods for preventing and detecting compromise.”

Although until the time of this attack, researchers have expressed concern about the risk of attackers being able to flash rogue firmware on embedded devices in the absence of protections like encrypted and digitally signed updates, it appears that real-world attacks using this method have been rare.

Cisco is advising all system administrators to go through all its available technical documents which detail common methods for detecting and preventing attacks on IOS devices. In an extra effort to avoid these types of attacks it is recommended that IT administrators consider updating passwords for their IOS devices, as an extra security measure.