Cisco switch owners should be aware of a just-released patch for a vulnerability that was exploited in April to install malware on Nexus switches. The vulnerability, known as CVE-2024-20399, allows local authenticated attackers to execute arbitrary commands as root. While the severity rating is moderate at 6.0, the exploit was used by a group called Velvet Ant to deploy remote access malware on the switches.
Sygnia, the researchers who discovered the vulnerability, believe that Velvet Ant has ties to Beijing. The malware used in the attack was not specifically identified but previous research suggests the group may have used the ShadowPad and PlugX malware families. These malware families are known for their ability to provide remote access and execute code on infected devices.
Despite the complexity of exploiting the vulnerability, as it requires administrator privileges, the incident serves as a reminder of the importance of implementing security best practices. Vulnerable Cisco products include Nexus series switches such as Nexus 3000, Nexus 5500, Nexus 5600, Nexus 6000, Nexus 7000, and Nexus 9000 in Standalone NX-OS Mode. Patches are available and should be applied promptly.
The attack by Velvet Ant underscores the persistence and sophistication of threat groups targeting network devices. Security industry experts emphasize the need for organizations to strengthen network security measures and monitor for potential threats. The incident also highlights the risks associated with using legacy systems and underscores the importance of staying up to date with security updates and best practices.
Article Source
https://www.theregister.com/AMP/2024/07/02/cisco_nexus_zero_day/