Cisco has issued an official warning about in-the-wild attacks that resulted in attackers gaining and potentially keeping administrative access to a Cisco IOS device indefinitely.
"Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image," the advisory explains.
"In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot."
The problem with stopping this type of attack is that Cisco can't remove the ability to install an upgraded ROMMON image on IOS devices, as the feature is often used by network admins to perform a variety of tasks.
The spotted attacks are obviously being performed by relatively sophisticated attackers - not only have they managed to find out the needed valid administrative credentials (it's still unknown how), but they are also capable of creating a malicious ROMMON image.
Cisco advises admins to review the information regarding the prevention and detection of this and other attacks, as well as ways of remediating potential compromise on Cisco IOS devices provided in documents linked to in the advisory.
Friday, August 14, 2015