Cisco is warning enterprise customers about a spike in attacks in which hackers use valid credentials on IOS devices to log in as administrators and then upload malicious ROMMON images to take control of the devices.
The ROM Monitor is the program that initializes the hardware and software on IOS devices, and an attacker who is able to install a modified, malicious image would have persistent access to the compromised device. Cisco’s security team has been contacting customers to warn them about the attacks, which are ongoing.
A key component of the attacks is that the attacker needs to have valid administrator-level credentials in order to access the device. There is no underlying vulnerability that the attackers are exploiting. They are somehow harvesting admin credentials and then using them to install the malicious ROMMON images.
“Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” the advisory from Cisco says.
“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.”
The ability to install new ROMMON images on IOS devices is an expected capability for users with admin privileges. Cisco says that there is no plan to issue a CVE related to these attacks, because of the lack of a vulnerability.