A suspected threat actor with ties to China, known as Velvet Ant, has been actively exploiting a zero-day vulnerability in Cisco NX-OS software, according to researchers at Sygnia. The vulnerability, identified as CVE-2024-20399, affects a wide range of Cisco Nexus devices and has a CVSS score of 6.0. The threat actor is highly sophisticated and is deploying custom malware, making their activity particularly challenging. Sygnia discovered this exploit as part of a broader investigation into Velvet Ant’s espionage work, revealing that the hacker has been operating on a victim’s computer network for three years.
During the investigation, it was found that the threat actor maintained persistence in a legacy F5 BIG-IP device exposed to the Internet. Sygnia reported this threat activity against Cisco Nexus devices to the company earlier this year. Cisco has released software updates for some NX-OS hardware platforms and will continue to release additional fixes. The company emphasized that there are no other workarounds to fix the flaw.
According to Amnon Kushnir, incident response director at Sygnia, Cisco Nexus devices are often used as backbone switches for data centers. The hacker’s ability to gain root access to the Linux-based operating system and deploy custom malware poses a significant threat. The custom malware allowed the threat actor to enable code execution and traffic tunneling, granting access to the network without the need to log in.
The Cybersecurity and Infrastructure Security Agency has included this vulnerability in its catalog of known exploitable vulnerabilities. Although the bug can allow an attacker to execute arbitrary commands with root privileges, attackers must have administrator credentials to exploit the vulnerability. In response, Cisco has been releasing software updates for affected hardware platforms and will continue to address the issue as needed.
In conclusion, the threat actor known as Velvet Ant, with suspected ties to China, is exploiting a zero-day vulnerability in Cisco NX-OS software to deploy custom malware and gain unauthorized access to networks. This activity has been ongoing for three years and poses a significant risk to organizations using Cisco Nexus devices. Cisco has released software updates to address the vulnerability and is working on additional fixes to mitigate the threat.
Article Source
https://www.cybersecuritydive.com/news/cisco-nexus-devices-zero-day/720535/
