Hackers Install Malicious ROMMON Images on CISCO Devices
CISCO Product Security Incident Response Team or PSIRT monitors CISCO products for vulnerabilities and attacks and publishes reports about malicious activities.
Lately they have released information regarding increasingly complex attacks against platforms running Cisco IOS Software. According to Product Security Incident Response Team, after gaining administrative or physical access to CISCO IOS devices, cyber attackers were able to replace the ROMMON (ROM MONITOR) with malicious images.
ROMMON is a bootstrap program, a mini operating system in the Cisco devices that helps to initialize the processor hardware and boot the operating system software. After installation of malicious ROMMON image device is rebooted and attack gains abilities to initiate any activity on a device.
Most dangerous part of this finding is that ROMMON will stay on CISCO device even after a reboot.
According to CISCO PSIRT:
No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned.
Vendor has also released an image about evolution of attacks against cisco devices, which you can observe below;
Due to this discovery CISCO has updated following technical documentations in order to assist administrators:
- Cisco IOS Software Integrity Assurance
- Cisco Guide to Harden IOS Devices
- Telemetry-Based Infrastructure Device Integrity Monitoring
Cisco recommends Cisco IOS device administrators to review these documents to understand the types of threats against Cisco IOS devices. Cisco also recommends users to ensure that operational procedures include methods for preventing and detecting compromise.