Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cisco IOS Rootkits Can Be Created With Limited Resources: Researchers

A paper published aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A paper published last week aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A malicious implant, dubbed “SYNful Knock,” was found last month on hundreds of Cisco routers. Attackers planted the threat not by exploiting software vulnerabilities, but by using stolen administrative credentials and a legitimate feature that allowed them to replace the legitimate firmware with a malicious version.

After the existence of SYNful Knock came to light, some experts pointed the finger at a nation-state actor, arguing that developing such threats is not within the capabilities of run-of-the-mill cybercriminals.

However, researchers at penetration testing company Grid32 believe it doesn’t take the resources of a nation state or a high tech think tank to develop rootkits for IOS, the software running on most Cisco routers and switches. They have published a paper detailing the creation of a basic IOS rootkit that they claim could be improved to be at least as sophisticated as SYNful Knock.

Grid32 believes a Cisco IOS rootkit can be created in a month or less, which includes studying PowerPC assembly, learning disassembly, and writing and debugging code.

“Yes, it is time consuming finding and figuring out the functions via tracing, debugging, and string references but certainly very possible. There is no magic involved, no need for nation states to be the source of the code, and no secret advanced techniques involved,” reads the paper from Grid32. “Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest.”

In a blog post published on Friday, Cisco pointed out that SYNful Knock is not the first piece of malware targeting devices running IOS. Cisco is currently aware of six malware incidents targeting such devices and SYNful Knock is just the latest in a series of attacks observed by the company since 2011.

In an effort to keep up with the evolution of such threats, Cisco has implemented various new security technologies in current devices, including secure boot, trust anchor modules, and image signing capabilities. While these systems should significantly reduce the likelihood of success for attacks like SYNful Knock, the networking giant has highlighted that customers will also have to take some steps on their end, such as following best practices and fully utilizing available security tools.

Advertisement. Scroll to continue reading.

“Cisco maintains a very open relationship with the security community, and we view this as vital to helping protect our customers’ networks,” a Cisco spokesperson told SecurityWeek. “We appreciate Grid32 adding their voice to calls for greater focus on network security.”

However, the company noted that the Grid32 whitepaper describes modifications made to firmware for legacy products (Cisco 2600) and does not take into account the new security technologies implemented in current devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.