Cisco is warning about a series of attacks that hijack critical network gear by swapping out the firmware image with one that’s been maliciously altered.
Cisco network gear hijacked
The attacks apparently use valid admin credentials, indicating that the attacks are being done by insiders or people that have managed to discover the sensitive passwords required to make changes to Cisco hardware. Short for ROM Monitor, ROMMON is what’s used to boot Cisco’s IOS operating system. Admins then use it to perform various tasks such as recovering lost passwords, downloading software, etc.
In a note on Wednesday, company officials said:
“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot”,
No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned”.
The significance of the announcement isn’t just that the firmware can be replaced. It’s a standard feature with not just Cisco kit but practically every computing device. What is significant is that attackers managed to obtain the admin credentials to make unauthorised changes, but the company has not said yet how that’s happening…
SOURCE: Ars Technica.