Cisco IOS devices are under attack and the networking giant issued a warning about the hacks that resulted in attackers gaining and potentially keeping administrative access indefinitely.
“Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” an advisory said.
“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.”
The problem with stopping this type of attack is Cisco can’t remove the ability to install an upgraded ROMMON image on IOS devices, as the feature often ends up used by network administrators to perform a series of tasks.
Sophisticated hackers are performing the attacks. Not only have they managed to find out the needed valid administrative credentials, but they are also capable of creating a malicious ROMMON image.
Cisco advises administrators to review the information regarding the prevention and detection of this and other attacks, as well as ways of remediating potential compromise on Cisco IOS devices provided in documents linked to in the advisory.