Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Firmware Found on Hundreds of Cisco Routers

The number of Cisco routers affected by malware implants has increased to 200, according to a report published by the Shadowserver Foundation on Monday.

The number of Cisco routers affected by malware implants has increased to 200, according to a report published by the Shadowserver Foundation on Monday.

Cisco first reported spotting routers on which attackers had replaced the legitimate ROM Monitor (ROMMON) image with a malicious version in mid-August. The malware implants, which could give attackers persistent access to targeted networks, have been installed by using stolen credentials and a legitimate feature provided to network administrators.

Last week, FireEye’s Mandiant, which dubbed the threat “SYNful Knock,” reported identifying a total of 14 infected Cisco routers across four countries.

Mandiant has identified several affected Cisco router models, but Cisco has pointed out that such attacks can be launched against products from other vendors as well, especially since they don’t involve the exploitation of an actual vulnerability.

“While Mandiant saw this attack across specific Cisco models, the key focus of this research is more about an evolution in attack types and how important it is for all network administrators to ensure security best practices are implemented. Network devices, of many types and from many companies, are high-value targets for malicious actors,” Yvonne Malmgren of Cisco Corporate Communications told SecurityWeek.

The number of affected routers continues to increase. Shortly after Mandiant published its report, researchers revealed spotting 79 potentially impacted systems across 19 countries.

The Shadowserver Foundation, which gathers intelligence on the dark side of the Web, has been working with Cisco to scan the Internet in search for potentially affected routers. As of Monday, Shadowserver identified 199 unique IP addresses that matched SYNful Knock behavior. Roughly one-third of the malware implants were spotted in the United States.

Of the 163 infections observed by September 20, sixty-five were in the U.S., twelve in India, eleven in Russia, nine in Poland, eight in China, seven in Thailand, and five in Lebanon. Between one and four implants were spotted in various countries from Europe, Asia, the Americas and Africa.

“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said.

Cisco has provided customers with all the information they need for detecting and remediating these types of attacks.

Related Reading: Industry Reactions to Cisco Router Implants

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.