Home » News » Surge in attacks on platforms running Cisco IOS Software

Dated: August 12, 2015

Summary
CISCO has observed an increase in attacks against Cisco IOS Classic platforms. Cisco has observed a number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image.

Description
In all such cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.

Recommendations
Cisco has recently updated a number of technical documents to include information regarding the ROMMON attack as well as other threats to Cisco IOS devices [1]. NUST CSIRT encourage users and administrators to comply with these recommendations to protect their devices.

References
[1]. http://tools.cisco.com/security/center/viewAlert.x?alertId=40411
[2]. http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html
[3]. http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
[4]. http://www.cisco.com/web/about/security/intelligence/network-integrity-monitoring.html