Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cisco IOS Rootkits Can Be Created With Limited Resources: Researchers

A paper published aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A paper published last week aims to demonstrate that developing rootkits for devices running Cisco IOS doesn’t require advanced knowledge or the resources of a nation state.

A malicious implant, dubbed “SYNful Knock,” was found last month on hundreds of Cisco routers. Attackers planted the threat not by exploiting software vulnerabilities, but by using stolen administrative credentials and a legitimate feature that allowed them to replace the legitimate firmware with a malicious version.

After the existence of SYNful Knock came to light, some experts pointed the finger at a nation-state actor, arguing that developing such threats is not within the capabilities of run-of-the-mill cybercriminals.

However, researchers at penetration testing company Grid32 believe it doesn’t take the resources of a nation state or a high tech think tank to develop rootkits for IOS, the software running on most Cisco routers and switches. They have published a paper detailing the creation of a basic IOS rootkit that they claim could be improved to be at least as sophisticated as SYNful Knock.

Grid32 believes a Cisco IOS rootkit can be created in a month or less, which includes studying PowerPC assembly, learning disassembly, and writing and debugging code.

“Yes, it is time consuming finding and figuring out the functions via tracing, debugging, and string references but certainly very possible. There is no magic involved, no need for nation states to be the source of the code, and no secret advanced techniques involved,” reads the paper from Grid32. “Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest.”

In a blog post published on Friday, Cisco pointed out that SYNful Knock is not the first piece of malware targeting devices running IOS. Cisco is currently aware of six malware incidents targeting such devices and SYNful Knock is just the latest in a series of attacks observed by the company since 2011.

In an effort to keep up with the evolution of such threats, Cisco has implemented various new security technologies in current devices, including secure boot, trust anchor modules, and image signing capabilities. While these systems should significantly reduce the likelihood of success for attacks like SYNful Knock, the networking giant has highlighted that customers will also have to take some steps on their end, such as following best practices and fully utilizing available security tools.

“Cisco maintains a very open relationship with the security community, and we view this as vital to helping protect our customers’ networks,” a Cisco spokesperson told SecurityWeek. “We appreciate Grid32 adding their voice to calls for greater focus on network security.”

However, the company noted that the Grid32 whitepaper describes modifications made to firmware for legacy products (Cisco 2600) and does not take into account the new security technologies implemented in current devices.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...