A China-linked group, Velvet Ant, exploited a zero-day vulnerability in Cisco NX-OS software, leading to the deployment of custom malware on vulnerable switches. The flaw, identified as CVE-2024-20399 with a CVSS score of 6.0, allowed attackers to execute arbitrary commands as root within the operating system of affected devices. Only attackers with administrator credentials could exploit the vulnerability, which was reported by cybersecurity firm Sygnia in April 2024.
The exploit by Velvet Ant enabled the execution of previously unknown custom malware, allowing remote access to compromised Cisco Nexus devices for uploading files and executing code. The vulnerability affected multiple Cisco devices, including MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500, 5600 and 6000 Platform Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in NX-OS Standalone Mode.
To mitigate the risk, Cisco recommended monitoring credential usage for administrative users and provided the Cisco Software Checker tool to determine device vulnerability. In a separate incident by the end of 2023, Sygnia researchers linked a similar attack to Velvet Ant, involving the deployment of custom malware on F5 BIG-IP devices to gain persistent access to an organization’s internal network and steal sensitive data.
Overall, the active exploitation of the NX-OS zero-day vulnerability highlights the ongoing threat posed by advanced persistent threat (APT) groups, particularly those with nation-state backing like the China-linked Velvet Ant. It emphasizes the importance of timely patching and monitoring of network devices to prevent unauthorized access and data exfiltration. Cisco’s response to the vulnerability underscores the need for collaboration between researchers, vendors, and organizations to address emerging cybersecurity threats effectively.
Article Source
https://securityaffairs.com/165097/apt/cisco-nx-os-zero-day-chinese-hackers.html?amp