Security researchers discovered that the China-linked APT group Velvet Ant has exploited the recently disclosed zero-day CVE-2024-20399 in Cisco switches to take over the network devices.
Last month, Cisco addressed the NX-OS zero-day CVE-2024-20399 that China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches and that’s exploited in wild as informed to Cisco PSIRT.
The flaw resides in the CLI of Cisco NX-OS Software, an authenticated local attacker who can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device. Attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device.
The vulnerability impacts the following devices:
- MDS 9000 Series Multilayer Switches (CSCwj97007)
- Nexus 3000 Series Switches (CSCwj97009)
- Nexus 5500 Platform Switches (CSCwj97011)
- Nexus 5600 Platform Switches (CSCwj97011)
- Nexus 6000 Series Switches (CSCwj97011)
- Nexus 7000 Series Switches (CSCwj94682) *
- Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)
Cisco recommends that customers monitor the use of credentials for the administrative users network-admin and vdc-admin.
The U.S. CISA added the flaw to its known Exploited Vulnerabilities catalog.
As per thr report published, The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system. Following the exploitation, ‘Velvet Ant’ deploys tailored malware, which runs on the underlying OS and is invisible to common security tools.
The threat actor used this technique to run a malicious script, which loaded and executed a backdoor binary, effectively bypassing standard security mechanisms. Several suspicious Base64-encoded commands were identified in the affected systems’ accounting logs. These commands were executed with valid administrative credentials as part of an exploit that leveraged a command injection vulnerability.
In general, network switches prevent users from accessing the underlying operating system, making it nearly impossible to scan for indicators of compromise. However, this group’s sophistication and determination to maintain persistence in compromised environments for ongoing espionage activities using network devices.
The report concludes with the summary “Over the years of espionage activities ‘Velvet Ant’ increased their sophistication, using evolving tactics to continue their cyber operations in a victim network – from operating on ordinary endpoints, shifting operations to legacy servers and finally moving towards network appliances and using 0-days. The determination, adaptability, and persistence of such threat actors highlight the sensitivity of a holistic response plan to not only contain and mitigate the threat but also monitor the network for additional attempts to exploit the network.”
This research was documented by researchers from Sygnia
