Security Experts:

Cisco IOS Rootkits Can Be Created With Limited Resources: Researchers

A paper published last week aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A malicious implant, dubbed “SYNful Knock,” was found last month on hundreds of Cisco routers. Attackers planted the threat not by exploiting software vulnerabilities, but by using stolen administrative credentials and a legitimate feature that allowed them to replace the legitimate firmware with a malicious version.

After the existence of SYNful Knock came to light, some experts pointed the finger at a nation-state actor, arguing that developing such threats is not within the capabilities of run-of-the-mill cybercriminals.

However, researchers at penetration testing company Grid32 believe it doesn’t take the resources of a nation state or a high tech think tank to develop rootkits for IOS, the software running on most Cisco routers and switches. They have published a paper detailing the creation of a basic IOS rootkit that they claim could be improved to be at least as sophisticated as SYNful Knock.

Grid32 believes a Cisco IOS rootkit can be created in a month or less, which includes studying PowerPC assembly, learning disassembly, and writing and debugging code.

“Yes, it is time consuming finding and figuring out the functions via tracing, debugging, and string references but certainly very possible. There is no magic involved, no need for nation states to be the source of the code, and no secret advanced techniques involved,” reads the paper from Grid32. “Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest.”

In a blog post published on Friday, Cisco pointed out that SYNful Knock is not the first piece of malware targeting devices running IOS. Cisco is currently aware of six malware incidents targeting such devices and SYNful Knock is just the latest in a series of attacks observed by the company since 2011.

In an effort to keep up with the evolution of such threats, Cisco has implemented various new security technologies in current devices, including secure boot, trust anchor modules, and image signing capabilities. While these systems should significantly reduce the likelihood of success for attacks like SYNful Knock, the networking giant has highlighted that customers will also have to take some steps on their end, such as following best practices and fully utilizing available security tools.

“Cisco maintains a very open relationship with the security community, and we view this as vital to helping protect our customers’ networks,” a Cisco spokesperson told SecurityWeek. “We appreciate Grid32 adding their voice to calls for greater focus on network security.”

However, the company noted that the Grid32 whitepaper describes modifications made to firmware for legacy products (Cisco 2600) and does not take into account the new security technologies implemented in current devices.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.