Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cisco IOS Rootkits Can Be Created With Limited Resources: Researchers

A paper published aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A paper published last week aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A malicious implant, dubbed “SYNful Knock,” was found last month on hundreds of Cisco routers. Attackers planted the threat not by exploiting software vulnerabilities, but by using stolen administrative credentials and a legitimate feature that allowed them to replace the legitimate firmware with a malicious version.

After the existence of SYNful Knock came to light, some experts pointed the finger at a nation-state actor, arguing that developing such threats is not within the capabilities of run-of-the-mill cybercriminals.

However, researchers at penetration testing company Grid32 believe it doesn’t take the resources of a nation state or a high tech think tank to develop rootkits for IOS, the software running on most Cisco routers and switches. They have published a paper detailing the creation of a basic IOS rootkit that they claim could be improved to be at least as sophisticated as SYNful Knock.

Grid32 believes a Cisco IOS rootkit can be created in a month or less, which includes studying PowerPC assembly, learning disassembly, and writing and debugging code.

“Yes, it is time consuming finding and figuring out the functions via tracing, debugging, and string references but certainly very possible. There is no magic involved, no need for nation states to be the source of the code, and no secret advanced techniques involved,” reads the paper from Grid32. “Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest.”

Advertisement. Scroll to continue reading.

In a blog post published on Friday, Cisco pointed out that SYNful Knock is not the first piece of malware targeting devices running IOS. Cisco is currently aware of six malware incidents targeting such devices and SYNful Knock is just the latest in a series of attacks observed by the company since 2011.

In an effort to keep up with the evolution of such threats, Cisco has implemented various new security technologies in current devices, including secure boot, trust anchor modules, and image signing capabilities. While these systems should significantly reduce the likelihood of success for attacks like SYNful Knock, the networking giant has highlighted that customers will also have to take some steps on their end, such as following best practices and fully utilizing available security tools.

“Cisco maintains a very open relationship with the security community, and we view this as vital to helping protect our customers’ networks,” a Cisco spokesperson told SecurityWeek. “We appreciate Grid32 adding their voice to calls for greater focus on network security.”

However, the company noted that the Grid32 whitepaper describes modifications made to firmware for legacy products (Cisco 2600) and does not take into account the new security technologies implemented in current devices.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.