Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Firmware Found on Hundreds of Cisco Routers

The number of Cisco routers affected by malware implants has increased to 200, according to a report published by the Shadowserver Foundation on Monday.

The number of Cisco routers affected by malware implants has increased to 200, according to a report published by the Shadowserver Foundation on Monday.

Cisco first reported spotting routers on which attackers had replaced the legitimate ROM Monitor (ROMMON) image with a malicious version in mid-August. The malware implants, which could give attackers persistent access to targeted networks, have been installed by using stolen credentials and a legitimate feature provided to network administrators.

Last week, FireEye’s Mandiant, which dubbed the threat “SYNful Knock,” reported identifying a total of 14 infected Cisco routers across four countries.

Mandiant has identified several affected Cisco router models, but Cisco has pointed out that such attacks can be launched against products from other vendors as well, especially since they don’t involve the exploitation of an actual vulnerability.

“While Mandiant saw this attack across specific Cisco models, the key focus of this research is more about an evolution in attack types and how important it is for all network administrators to ensure security best practices are implemented. Network devices, of many types and from many companies, are high-value targets for malicious actors,” Yvonne Malmgren of Cisco Corporate Communications told SecurityWeek.

The number of affected routers continues to increase. Shortly after Mandiant published its report, researchers revealed spotting 79 potentially impacted systems across 19 countries.

The Shadowserver Foundation, which gathers intelligence on the dark side of the Web, has been working with Cisco to scan the Internet in search for potentially affected routers. As of Monday, Shadowserver identified 199 unique IP addresses that matched SYNful Knock behavior. Roughly one-third of the malware implants were spotted in the United States.

Of the 163 infections observed by September 20, sixty-five were in the U.S., twelve in India, eleven in Russia, nine in Poland, eight in China, seven in Thailand, and five in Lebanon. Between one and four implants were spotted in various countries from Europe, Asia, the Americas and Africa.

“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said.

Cisco has provided customers with all the information they need for detecting and remediating these types of attacks.

Related Reading: Industry Reactions to Cisco Router Implants

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...