Cisco Patches Zero-Day Bug Used by Chinese Velvet Ant Group

Written by

A newly patched zero-day vulnerability was exploited by Chinese state-backed hackers to compromise Cisco Nexus switches, researchers have revealed.

Cisco released a patch for CVE-2024-20399 on 2 July, 2024. The flaw is found in the CLI of Cisco NX-OS software and could allow an authenticated local attacker to execute arbitrary commands as root on a targeted device.

“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands,” the advisory noted.

“An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”

Read more on Cisco Nexus threats: Cisco Enterprise Switch Flaw Exposes Encrypted Traffic

However, because an attacker would need administrator privileges and access to specific configuration commands, the bug has only been given a CVSS score of 6.

That didn’t stop Chinese threat group Velvet Ant exploiting the vulnerability in an attack discovered in April, according to security vendor Sygnia.

“This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices,” Sygnia explained.

“Despite the substantial pre-requisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected and monitored – to maintain persistent network access; the incident also underscores the critical importance of adhering to security best practices as a mitigation against this type of threat.”

Velvet Ant has previously been linked to a sophisticated multi-year cyber-espionage campaign in which the group used compromised F5 BIG-IP load balancers for persistence.

Sygnia urged Cisco customers to improve their centralized logging and network monitoring related to switches, and to harden systems with regular patching, good password hygiene and restricted admin access, among other steps.

What’s hot on Infosecurity Magazine?