Categories: Breaking NewsCyber CrimeHackingSecurity

SYNful_Knock malicious ROMMON images discovered in the wild

Mandiant firm has spotted more than a dozen Cisco routers running malicious ROMMON firmware images that allow attackers to control targeted devices.

A few weeks ago, CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software.

Now security experts at Mandiant confirmed to have detected such “implants” in the wild, the researchers found the malicious ROMMON images dubbed “SYNful Knock,” on 14 Cisco routers located in Ukraine, Philippines, India and Mexico. The Cisco models 1841, 2811, 3825 are affected, it is important to highlight that they are no longer being on the market.

Once loaded the bogus ROMMON, The attackers have unrestricted backdoor access to the CISCO router via the console and Telnet using a special password. Bad actors can load further malicious payloads by using specially crafted TCP packets sent to the device’s interface.

The ROMMON implant is persistent meanwhile the 100 additional modules observed by Mandiant reside in volatile memory and for this reason they are removed after a reboot or reload of the router.

As explained by CISCO the attackers exploit stolen credentials to gain control of the CISCO network device and install the bogus ROMMON images.

The attacker somehow accessed valid administrative credentials to access the CISCO devices, they aren’t exploiting any vulnerability, but experts speculate they are harvesting admin credentials to run the attacks and install the malicious ROMMON images.

“Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” states the advisory from Cisco.

“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.

No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned.

Researchers at Mandiant confirm the attackers have had access to admin credentials, or the compromised devices were poorly configured by using default credentials.

“ Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.” states Mandiant in a blog post.

This kind of attacks is very insidious for enterprises, they are hard to discover and compromised routers could represent an entry point in the corporate network attackers an easy entry point

Cisco provided the following suggestions to detect and mitigate SYNful_Knock attacks:

Step 1: Harden devices – use Cisco’s guidance to harden Cisco IOS devices
Step 2: Instrument the network – follow recommendations Telemetry-Based Infrastructure Device Integrity Monitoring
Step 3: Establish a baseline – ensure operational procedures include methods to establish a baseline
Step 4: Analyze deviations from the baseline by leveraging technical capabilities and recommendations for Cisco IOS Software Integrity Assurance.

These attacks are likely grow in popularity and could represent a serious threat to enterprises as confirmed by FireEye:

“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks utilizing modified router images (regardless of vendor),” “As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe.”

Pierluigi Paganini

(Security Affairs – CISCO, ROMMON)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.