CISCO Networking Devices Updated With Malicious IOS Bootstrap, Thanks to Stolen Admin Credentials

Recent reports involving stolen administrative credentials enabled attackers to update the IOS bootstrap running on CISCO switches and routers with maliciously crafted ROMMON images, CISCO announced.

The process allows attackers to remotely manipulate CISCO IOS devices even after reboot, persisting until the malicious ROMMON image is removed. Although the company gave no details as to who reported the incidents, the affected parties, or how the attackers got ahold of the authentication credentials, it recommended organizations take action to prevent such attempts.

“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON,” reads the CISCO Security Activity Bulletin. “Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior.”

Because this incident requires valid admin authentication credentials, no CVE identifier has been assigned to the bulletin because no product vulnerability is leveraged in the attack. The IOS upgrading procedure is a standard documented feature that IT administrators can use on all CISCO IOS devices.

“The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks,” reads the bulletin. “Cisco also recommends users ensure operational procedures include methods for preventing and detecting compromise.”

System administrators are encouraged to go through available CISCO technical documents detailing common methods for detecting and preventing attacks on IOS devices. To avoid these types of attacks, IT administrators should consider updating passwords for their IOS devices, as an extra security measure.