Cyber espionage group linked to China named Velvet ant a zero-day flaw in the Cisco NX-OS software used in switches has been observed to be used to deliver malware.
The vulnerabilitywhich is tracked as CVE-2024-20399 (CVSS Score: 6.0), concerns the injection of a command that allows an authenticated local attacker to execute arbitrary commands as root on the underlying operating system of the affected device.
“By exploiting this vulnerability, Velvet Ant successfully launched a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, download additional files, and execute code on the devices,” according to cybersecurity firm Sygnia. said in a statement shared with The Hacker News.
Cisco stated that the issue occurs due to insufficient validation of arguments passed to certain configuration CLI commands, which could be exploited by an adversary by including crafted input as an argument to a CLI command that affects the configuration.
Moreover, it allows a user with administrative privileges to execute commands without triggering syslog messages, making it possible to hide the execution of shell commands on compromised devices.
Despiteinto of the code execution of the flaw an attacker must have administrative credentials and have access to certain configuration commands in order to exploit it. CVE-2024-20399 affects the following devices −
- MDS 9000 Series Multilevel Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 platform switches
- Nexus 6000 Series Switches
- Nexus 7000 series switches and
- Nexus 9000 series switches in NX-OS offline mode
Sygnia said it discovered the use of CVE-2024-20399 in the wild during a broader forensic investigation that took place last year. Cisco, however, noted that it became aware of an attempted exploit in April 2024.
Velvet Ant was first documented by an Israeli cybersecurity firm last month in connection with a cyberattack targeting an unnamed organization located in East Asia over a period of approximately three years by establishing persistence using legacy F5 BIG-IP devices to stealthily steal customers and financial information.
“Network devices, particularly switches, are often unmonitored and their logs are often not routed to a centralized logging system,” Signia said. “This lack of monitoring creates serious challenges in detecting and investigating malicious activity.”
Development occurs when threat actors use a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769CVSS score: 9.8) – path traversal problem leading to disclosure – to collect account information such as names, passwords, groups and descriptions for all users.
“Variants of the exploit (…) allow for the extraction of account data from the device,” said threat intelligence firm GreyNoise. said. “The product has expired, so it will not be fixed, creating a long-term operational risk. Multiple XML files can be invoked using this vulnerability.”
