A threat actor linked to China is exploiting a zero-day vulnerability in Cisco NX-OS software. Known as Velvet Ant, the actor is targeting a command injection vulnerability affecting various Cisco Nexus devices. The vulnerability, CVE-2024-20399, has a CVSS score of 6.0, with the threat actor deploying custom malware. Sygnia researchers uncovered the exploit during an investigation into Velvet Ant’s activities, revealing that the actor had been present on a victim’s network for three years. The actor managed to maintain persistence on a legacy F5 BIG-IP device exposed to the Internet.
Sygnia’s discovery led to the reporting of the threat activity against Cisco Nexus devices to the company. Cisco has released software updates for some NX-OS platforms and plans to provide additional fixes in the future. Amnon Kushnir, incident response director at Sygnia, highlighted the significant challenge posed by the threat actor’s ability to gain root access to the Linux-based operating system on Cisco Nexus devices. The hacker can execute code and establish traffic tunneling, bypassing the need for continued login access post-deployment of custom malware.
Sygnia researchers emphasized that network devices, especially switches, are often inadequately monitored, with logs not forwarded to a centralized system. The added challenge arises from the hacker’s ability to enable code execution and traffic tunneling, granting access to the network without the need for continued login. The Cybersecurity and Infrastructure Security Agency has included the vulnerability in its database of known exploitable issues. While the bug allows attackers to execute commands with root privileges, administrator credentials are required to exploit it fully.
Overall, the threat actor’s exploitation of this zero-day vulnerability in Cisco NX-OS software highlights the evolving landscape of cyber threats, particularly from sophisticated actors like Velvet Ant. It underscores the importance of proactive security measures, including prompt software updates and enhanced network monitoring to detect and mitigate such threats. Researchers and cybersecurity experts continue to monitor the situation closely to prevent further exploitation and potential impact on critical infrastructure.
Article Source
https://www.techcentral.ie/cisco-nexus-devices-zero-day-raises-alarms-despite-cvss-score/
