SYNful_Knock malicious ROMMON images discovered in the wild

Pierluigi Paganini September 15, 2015

Mandiant firm has spotted more than a dozen Cisco routers running malicious ROMMON firmware images that allow attackers to control targeted devices.

A few weeks ago, CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software.

Now security experts at Mandiant confirmed to have detected such “implants” in the wild, the researchers found the malicious ROMMON images dubbed “SYNful Knock,” on 14 Cisco routers located in Ukraine, Philippines, India and Mexico. The Cisco models 1841, 2811, 3825 are affected, it is important to highlight that they are no longer being on the market.

Once loaded the bogus ROMMON, The attackers have unrestricted backdoor access to the CISCO router via the console and Telnet using a special password. Bad actors can load further malicious payloads by using specially crafted TCP packets sent to the device’s interface.

The ROMMON implant is persistent meanwhile the 100 additional modules observed by Mandiant reside in volatile memory and for this reason they are removed after a reboot or reload of the router.

As explained by CISCO the attackers exploit stolen credentials to gain control of the CISCO network device and install the bogus ROMMON images.

The attacker somehow accessed valid administrative credentials to access the CISCO devices, they aren’t exploiting any vulnerability, but experts speculate they are harvesting admin credentials to run the attacks and install the malicious ROMMON images.

“Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” states the advisory from Cisco.

“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.

 No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned.

Researchers at Mandiant confirm the attackers have had access to admin credentials, or the compromised devices were poorly configured by using default credentials.

SYNful_Knock Details malicious ROMMON

“ Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers.  The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.” states Mandiant in a blog post.

SYNful_Knock Details malicious ROMMON 2

This kind of attacks is very insidious for enterprises, they are hard to discover and compromised routers could represent an entry point in the corporate network attackers an easy entry point

Cisco provided the following suggestions to detect and mitigate SYNful_Knock attacks:

These attacks are likely grow in popularity and could represent a serious threat to enterprises as confirmed by FireEye:

We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor),” “As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.”

Pierluigi Paganini

(Security Affairs – CISCO, ROMMON)


you might also like

leave a comment