Cisco recently patched a zero-day vulnerability that was exploited by a nation-state threat group known as Velvet Ant, believed to be linked to China. The vulnerability, tracked as CVE-2024-20399, allows an authenticated, local attacker to execute arbitrary commands as root on affected devices running Cisco’s NX-OS software. This vulnerability, known as a command injection vulnerability, poses a significant risk as it grants the attacker administrator privileges without triggering system syslog messages, making it easier to hide malicious activity.
The exploitation of this vulnerability highlights the challenges in identifying and investigating malicious activity on network devices, particularly switches, which are often not closely monitored. Despite the severity of the vulnerability and the widespread use of Cisco Nexus switches in enterprise environments, the risk is mitigated to some extent by the fact that most Nexus switches are not directly exposed to the Internet. An attacker would need to have administrator credentials and specific command configurations to successfully exploit the vulnerability.
This incident underscores the tendency of sophisticated threat groups to leverage network devices to maintain persistent access to networks. In a recent case, a potentially state-sponsored threat actor used outdated F5 BIG-IP appliances to steal financial and customer data from an East Asian company, going undetected for three years. This highlights the importance of regularly monitoring network activity and updating administrator credentials to prevent unauthorized access.
Cisco has recommended that companies change administrator credentials and closely monitor network activity to prevent exploitation of this vulnerability. Administrators can use the software verifier page to check if their devices are exposed to potential risks. The discovery of this vulnerability by Sygnia underscores the importance of proactive cybersecurity measures to protect against advanced cyber threats such as nation-state attacks.
Article Source
https://www.govinfosecurity.com/cisco-patches-exploited-zero-day-vulnerability-a-25682
