Cisco Systems officials are warning customers of a series of attacks that completely hijack critical networking gear by swapping out the valid ROMMON firmware image with one that's been maliciously altered.
The attackers use valid administrator credentials, an indication the attacks are being carried out either by insiders or people who have otherwise managed to get hold of the highly sensitive passwords required to update and make changes to the Cisco hardware. Short for ROM Monitor, ROMMON is the means for booting Cisco's IOS operating system. Administrators use it to perform a variety of configuration tasks, including recovering lost passwords, downloading software, or in some cases running the router itself. In an advisory published Wednesday company officials wrote:
This appears to be an insider attack, but it is reminiscent of one of the early Snowden revelations regarding the installation of beacon implants on Cisco routers. At the time I scoffed at this because it as described it would have required access to Cisco's firmware i order to properly modify it and get a valid MD5 hash, but apparently no one actually checks MD5 checksums.
Sorry that's all I had time for today.