Cisco Systems is now officially warning customers about attacks that have hijacked critical networking gear by swapping out the valid ROMMON firmware image with a maliciously altered version using valid administrator credentials. The fact that the attackers use valid administrator credentials indicates that the attacks are being done by insiders or hackers who have obtained the necessary passwords required to update or change Cisco hardware.
ROMMON is the ROM Monitor, used for booting Cisco’s operating system, and it is frequently used by SysAdmins to configure tasks, recover lost passwords, download software, and alter the router settings and more.
The CISCO advisory states: “In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.”
So, while the IT industry is buzzing over this news, in reality no product vulnerability is being used because an attacker requires valid admin credentials or physical access to the system. That essentially means that the attacker could just as easily bring these systems to their knees by pouring hot pots of coffee over the active servers or deleting all files on them because they are doing these things after gaining access via stolen passwords or physical intrusions.
For that reason, we view this news as a useful reminder of the importance of maintaining password security and properly securing all sensitive IT gear from intrusion. National Net continues to utilize state of the art password encryption methods and security best practices to limit access to all servers under our supervision to only those people who should have access, and to limit the access of each person with access to include only the functionality their tasks require. At the end of the day, server security is as much about not spilling coffee on your hardware or handing out your passwords as it is about updating firmware and heeding Cisco warnings.