Over the past several years, hackers have targeted public-facing network devices such as routers, VPN concentrators, and load balancers to gain a foothold into corporate networks. While finding remote code execution vulnerabilities in such devices is not uncommon, incidents where attackers were able to deploy malware on them that can survive restarts or firmware upgrades have been rare and generally attributed with sophisticated APT groups.
Because they use flash memory that degrades over time if subjected to many write operations, embedded network devices typically store their firmware in read-only filesystems and load their contents into RAM at each restart. This means that all changes and files generated by the various running services during the device’s normal operation are temporary because they only occur in RAM and are never saved to the file system, which is restored to its initial state when the device is restarted reboot.