Security Experts:

Malicious Firmware Found on Hundreds of Cisco Routers

The number of Cisco routers affected by malware implants has increased to 200, according to a report published by the Shadowserver Foundation on Monday.

Cisco first reported spotting routers on which attackers had replaced the legitimate ROM Monitor (ROMMON) image with a malicious version in mid-August. The malware implants, which could give attackers persistent access to targeted networks, have been installed by using stolen credentials and a legitimate feature provided to network administrators.

Last week, FireEye’s Mandiant, which dubbed the threat “SYNful Knock,” reported identifying a total of 14 infected Cisco routers across four countries.

Mandiant has identified several affected Cisco router models, but Cisco has pointed out that such attacks can be launched against products from other vendors as well, especially since they don’t involve the exploitation of an actual vulnerability.

“While Mandiant saw this attack across specific Cisco models, the key focus of this research is more about an evolution in attack types and how important it is for all network administrators to ensure security best practices are implemented. Network devices, of many types and from many companies, are high-value targets for malicious actors,” Yvonne Malmgren of Cisco Corporate Communications told SecurityWeek.

The number of affected routers continues to increase. Shortly after Mandiant published its report, researchers revealed spotting 79 potentially impacted systems across 19 countries.

The Shadowserver Foundation, which gathers intelligence on the dark side of the Web, has been working with Cisco to scan the Internet in search for potentially affected routers. As of Monday, Shadowserver identified 199 unique IP addresses that matched SYNful Knock behavior. Roughly one-third of the malware implants were spotted in the United States.

Of the 163 infections observed by September 20, sixty-five were in the U.S., twelve in India, eleven in Russia, nine in Poland, eight in China, seven in Thailand, and five in Lebanon. Between one and four implants were spotted in various countries from Europe, Asia, the Americas and Africa.

“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said.

Cisco has provided customers with all the information they need for detecting and remediating these types of attacks.

Related Reading: Industry Reactions to Cisco Router Implants

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.