Share this article on:
The Velvet Ant threat group was recently observed deploying malware and executing code on vulnerable Cisco Nexus switches.
Cyber security researchers have uncovered a Chinese cyber espionage campaign targeting a newly discovered command injection vulnerability in Cisco’s Cisco NX-OS software.
Cyber security firm Sygnia discovered the vulnerability and its exploitation as part of an ongoing forensic investigation of a threat group it has dubbed Velvet Ant.
The vulnerability – disclosed by Cisco as CVE-2024-20399 after being alerted by Sygnia – is in the command line interface of Cisco NX-OS and affects a raft of Nexus series switches and Cisco’s MDS 9000 Series multilayer switches.
According to Cisco’s advisory, the “vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root”.
Cisco does note, however, that for this exploit to work, an attacker must have administrator credentials. The company has released updates to its software to address the vulnerability – there are no other workarounds.
Sygnia did not say when it observed the Chinese espionage activity but said that it observed the hackers successfully executing commands on vulnerable hardware before deploying a “previously unknown custom malware” that let them remotely connect to compromised devices. This led to the uploading of additional files and further code execution.
Sygnia also noted the exploit requires administrator-level credentials, as well as network access to a vulnerable Nexus switch.
“Despite the substantial prerequisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected and monitored – to maintain persistent network access,” Sygnia’s researchers said in a blog post.
“The incident also underscores the critical importance of adhering to security best practices as a mitigation against this type of threat.”
The affected devices are:
Sygnia had previously observed Velvet Ant targeting a “large organisation” in late 2023, taking advantage of “a legacy F5 BIG-IP appliance” to create an internal C&C node. Sygnia considers Velvet Ant to be a “sophisticated threat actor who exhibited robust capabilities and employed a methodical approach” to target its victims.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.