The China-Nexus Velvet Ant hackers exploited a bug in April that allowed them to execute arbitrary commands as root on Cisco devices. This zero-day vulnerability, tracked as CVE-2024-20399, was discovered by cybersecurity company Sygnia and patched by Cisco on Monday. The threat group remotely connected to Cisco’s NX-OS software used in switches and executed malicious code.
The vulnerability is a command injection vulnerability that allows an authenticated, local attacker to run commands as root. The lack of log review for network devices, especially switches, poses challenges in identifying malicious activity. The flaw allows the user administrator privileges without triggering system syslog messages, making it easier to hide the execution of shell commands.
Despite the potential for code execution and the widespread use of Cisco Nexus switches in enterprise environments, the vulnerability is rated a 6 on the CVSS scale. This is because most Nexus switches are not directly accessible from the Internet, requiring attackers to have specific credentials and command configurations for successful exploitation.
The incident highlights the trend of sophisticated threat groups leveraging network devices that are inadequately protected and monitored to maintain persistent access. In a similar case, a potentially state-sponsored threat actor used outdated F5 BIG-IP appliances to run custom malware and steal data from an undisclosed East Asian company, remaining undetected for three years.
To prevent exploitation of the vulnerability, Cisco recommends changing administrator credentials and monitoring activity. Administrators can also check if their devices are exposed on the software verifier page. Overall, the incident underscores the importance of vigilance and proactive security measures to protect against cyber threats.
Article Source
https://www.bankinfosecurity.com/cisco-patches-exploited-zero-day-vulnerability-a-25682