Sygnia has discovered that Chinese threat actors, specifically Velvet Ant, have been exploiting a zero-day vulnerability in certain Cisco switches to install malware. These threat actors gained access to Cisco Nexus switches by harvesting administrator-level credentials, allowing them to remotely connect to compromised devices and execute malicious code. The vulnerability, known as CVE-2024-20399, has since been fixed by Cisco. This vulnerability could be exploited by local attackers with administrator privileges to execute arbitrary commands with root permissions on NX-OS, the OS powering the switches. The affected models include MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in Standalone NX-OS Mode. Network administrators are advised to monitor and update login credentials for the network-admin and vdc-admin users to mitigate the risk of exploitation. Cisco recommends using the Cisco Software Checker page to verify if any devices are vulnerable to this security threat.
Article Source
https://www.techradar.com/pro/security/cisco-nexus-switches-targeted-by-large-scale-chinese-malware-campaign
