Mandiant firm has spotted more than a dozen Cisco routers running malicious ROMMON firmware images that allow attackers to control targeted devices. CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images. The attackers have unrestricted backdoor access to the CISCO router via the console and Telnet using a special password. Researchers found the malicious ROMmon images dubbed SYNful Knock, on 14 Cisco routers located in Ukraine, Philippines, India and Mexico.”]
Source: http://securityaffairs.co/wordpress/40151/cyber-crime/synful_knock-rommon-implants.html