Malicious Firmware Found on Hundreds of Cisco Routers

Malicious Firmware Found on Hundreds of Cisco Routers

The number of Cisco routers affected by malware implants has increased to 200, according to a report published by the Shadowserver Foundation on Monday.

Cisco first reported spotting routers on which attackers had replaced the legitimate ROM Monitor (ROMMON) image with a malicious version in mid-August. The malware implants, which could give attackers persistent access to targeted networks, have been installed by using stolen credentials and a legitimate feature provided to network administrators.

“While Mandiant saw this attack across specific Cisco models, the key focus of this research is more about an evolution in attack types and how important it is for all network administrators to ensure security best practices are implemented. Network devices, of many types and from many companies, are high-value targets for malicious actors,” Yvonne Malmgren of Cisco Corporate Communications told SecurityWeek.

The Shadowserver Foundation, which gathers intelligence on the dark side of the Web, has been working with Cisco to scan the Internet in search for potentially affected routers. As of Monday, Shadowserver identified 199 unique IP addresses that matched SYNful Knock behavior. Roughly one-third of the malware implants were spotted in the United States.

Of the 163 infections observed by September 20, sixty-five were in the U.S., twelve in India, eleven in Russia, nine in Poland, eight in China, seven in Thailand, and five in Lebanon. Between one and four implants were spotted in various countries from Europe, Asia, the Americas and Africa.

“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said.