Cisco recently patched a zero-day exploit in its NX-OS software that was used in cyber attacks back in April. The cybersecurity firm Sygnia identified the attacks as being carried out by a Chinese state-sponsored group known as Velvet Ant. The attackers were able to gain root access to vulnerable switches and install custom malware, allowing them to remotely connect and execute malicious code.
The vulnerability, identified as CVE-2024-20399, can be exploited by local attackers with administrator privileges to execute commands with root permissions on the affected devices. This flaw was due to insufficient validation of arguments passed to specific configuration commands in the software.
Several switches running vulnerable NX-OS software were affected, including those in the MDS 9000 Series, Nexus 3000 Series, Nexus 5500 Platform, and others. Attackers were able to execute commands without raising system alerts, enabling them to hide their activities on compromised devices.
To protect against such attacks, Cisco recommends monitoring and changing the credentials of network-admin and vdc-admin users regularly. Administrators can also use the Cisco Software Checker page to check if their devices are exposed to the CVE-2024-20399 vulnerability.
In addition to this recent exploit, Cisco also warned in April about a state-backed hacking group exploiting zero-day bugs in the Adaptive Security Appliance and Firepower Threat Defense firewalls. The group, known as UAT4356 and STORM-1849, targeted government networks worldwide in a campaign called ArcaneDoor.
The attackers used multiple zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to install unknown malware on compromised devices and establish persistence. Despite this, Cisco has not yet determined how the attackers initially breached the victims’ networks.
Sygnia also reported that the same group targeted F5 BIG-IP devices in a separate cyber espionage campaign. They were able to steal sensitive customer information undetected for three years by maintaining persistent access to the victims’ networks.
These incidents highlight the ongoing threat posed by state-sponsored hacking groups and the importance of regular monitoring and updates to protect against such attacks. Cisco’s patches and recommendations aim to help organizations safeguard their networks and prevent unauthorized access by malicious actors.
Article Source
https://www.bleepingcomputer.com/news/security/cisco-warns-of-nx-os-zero-day-exploited-to-deploy-custom-malware/amp/