To be honest, this is not Cisco's fault (at least not fully)
Simple rule - Always change the vendor provided password ( if possible ,to a complex one).
From the Article:
“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface,” -
The researchers say that Cisco 1841, 2811, and 3825 routers are known to be targeted in this kind of attack
The modified IOS image that the attackers are using in these attacks survives a reboot of the router, but additional modules the attackers load live in volatile memory and will be lost after a reboot. The malicious implant modifies a function to point to the malware and overwrites a few other functions, as well.
For more info:
No comments:
Post a Comment