Cisco routers are built into the fabric of the Internet and enterprise networks, a fact that makes them highly attractive targets for attackers. Researchers at FireEye have come across attacks recently in which hackers have been modifying the firmware of Cisco routers and using that foothold to maintain persistence on the victim’s network.

Such a technique would give an attacker an excellent position from which to surveil the victim’s network and potentially move to different machines, as well. The FireEye researchers say that the attackers are using a modified IOS image and typically are not exploiting any new vulnerabilities in order to compromise routers. Instead, they probably are taking advantage of either default or stolen credentials in order to gain initial access to the routers.

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface,” an analysis of the technique by Bill Hau and Tony Lee of FireEye says.

“The packets have a nonstandard sequence and corresponding acknowledgment numbers.  The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.”

The researchers say that Cisco 1841, 2811, and 3825 routers are known to be targeted in this kind of attack.

The modified IOS image that the attackers are using in these attacks survives a reboot of the router, but additional modules the attackers load live in volatile memory and will be lost after a reboot. The malicious implant modifies a function to point to the malware and overwrites a few other functions, as well.

Once the malicious IOS image is on the router, the attackers are using a modular command-and-control system to maintain communication.

“The CnC functionality is stealthy because it requires a series of TCP trigger packets that the malware monitors for specific TCP header values and content. Even if filters are enabled on the router, the TCP trigger is processed by the malware. The malware will respond to trigger packets sent three different addresses: the router interface, the broadcast IP, and the network address (the first IP in a subnet),” the FireEye analysis says.

The attacks detailed by FireEye are similar to ones Cisco warned customers about last month. In those attacks, hackers are again using valid credentials to connect to IOS devices and then upload malicious ROM Monitor images.

“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot,” Cisco said in an advisory in August.

Categories: Malware, Vulnerabilities, Web Security