China-Linked Cyber Espionage Group Velvet Ant Exploits Zero-Day Flaw in Cisco NX-OS Software

 

July 2, 2024 – In a significant cybersecurity revelation, Velvet Ant, a China-nexus cyber espionage group, has been observed exploiting a zero-day vulnerability in Cisco NX-OS Software used in its network switches. The flaw, tracked as CVE-2024-20399, has a CVSS score of 6.0 and is attributed to a command injection issue that enables an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

This command injection vulnerability stems from insufficient validation of arguments passed to specific configuration CLI commands, allowing adversaries to include crafted inputs as arguments. Cisco's security team indicated that the vulnerability’s severity is mitigated by the requirement for the attacker to already possess administrator credentials and access to specific configuration commands.

Sygnia, a cybersecurity firm, disclosed that Velvet Ant successfully leveraged this flaw to deploy custom malware, allowing the group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code. This malicious activity was identified during a broader forensic investigation over the past year. Cisco became aware of attempted exploitation in April 2024.

The affected devices include:

• MDS 9000 Series Multilayer Switches
• Nexus 3000 Series Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Switches in standalone NX-OS mode

"By exploiting this vulnerability, Velvet Ant was able to execute a previously unknown custom malware, allowing them to bypass system syslog messages and conceal the execution of shell commands on compromised appliances," Sygnia revealed in a statement shared with The Hacker News.

Velvet Ant first came into the spotlight last month when the Israeli cybersecurity firm documented the group's cyberattack on an unnamed organization in East Asia. The group maintained persistence by exploiting outdated F5 BIG-IP appliances, targeting customer and financial information stealthily for about three years.

"Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system," Sygnia noted. "This lack of monitoring creates significant challenges in identifying and investigating malicious activities."

In a parallel development, threat actors are exploiting another critical vulnerability in D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8). This path traversal issue leads to information disclosure, allowing attackers to gather account details such as names, passwords, groups, and descriptions for all users. GreyNoise, a threat intelligence firm, highlighted that the product is End-of-Life and won't be patched, posing long-term exploitation risks.

"The exploit's variations enable the extraction of account details from the device," GreyNoise reported. "Multiple XML files can be invoked using the vulnerability."

As these cybersecurity threats evolve, it underscores the critical need for vigilant monitoring and timely updates to mitigate risks associated with network appliances and other connected devices.