Chinese hackers are using vulnerability in Cisco switches to distribute malware

Chinese hackers are using vulnerability in Cisco switches to distribute malware



A cyber espionage group known as Velvet Ant, believed to have ties to China, has been observed exploiting a zero-day vulnerability in Cisco NX-OS software used in switches to distribute malware. The vulnerability, tracked as CVE-2024-20399, allows an authenticated, local attacker to execute arbitrary commands as root on the affected device. By exploiting this flaw, Velvet Ant was able to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices. The issue arises from insufficient validation of arguments in specific CLI configuration commands, allowing an adversary to execute commands without triggering system syslog messages. While the vulnerability has code execution capabilities, successful exploitation requires the attacker to have administrator credentials and access to specific configuration commands.

The affected devices include MDS 9000 Series Multilayer Switches, Nexus 3000, 5500, 5600, 6000, 7000 Series Switches, and Nexus 9000 Series Switches in Standalone NX-OS Mode. Velvet Ant was previously linked to cyberattacks targeting an organization in East Asia, using outdated F5 BIG-IP appliances to steal financial and customer information over a three-year period. This latest development emphasizes the challenges posed by unmonitored network devices and the lack of centralized logging systems, making it difficult to detect and investigate malicious activity.

In addition to this cyber espionage activity, threat actors are exploiting a critical vulnerability in D-Link DIR-859 Wi-Fi routers (CVE-2024-0769) to collect account information such as names, passwords, groups, and descriptions for all users. This path traversal issue leading to information disclosure poses long-term exploitation risks, as the product is no longer in use and patches will not be applied. GreyNoise, a threat intelligence firm, warns that variations of the exploit can extract account details from the affected devices.

This news highlights the ongoing threat posed by cyber espionage groups and the importance of implementing robust security measures to protect network devices from such attacks. Stay informed by following us on Twitter and LinkedIn for more exclusive content and updates on cybersecurity news.

Article Source
https://thehackernews.com/2024/07/chinese-hackers-exploiting-cisco.html