Details have emerged of the China-nexus threat group using a recently disclosed, now patched, security flaw in Cisco switches as a zero-day to seize control of the device and evade detection.
Activity attributed to the Velvet Ant was seen earlier this year and involved weapons CVE-2024-20399 (CVSS Score: 6.0) to deliver custom malware and gain extensive control over the compromised system, facilitating both data theft and permanent access.
“The zero-day exploit allows an attacker with valid administrator credentials for the switch management console to bypass the NX-OS command-line interface (CLI) and execute arbitrary commands on the underlying Linux operating system,” cybersecurity firm Sygnia said. the report shared with The Hacker News.
Velvet ant first caught the attention of Israeli cybersecurity researchers in a multi-year campaign targeting an unnamed organization located in East Asia using legacy F5 BIG-IP devices as a vantage point to configure security in a compromised environment.
A hidden exploit in the CVE-2024-20399 threat came to light early last month, prompting Cisco to release security updates to address the flaw.
Notable among the tradecraft is the level of sophistication and shape-shifting tactics adopted by the group, initially infiltrating newer Windows systems before moving on to older Windows servers and network devices in an attempt to fly under the radar.
“The shift to operating from internal network devices represents another escalation of the evasion techniques used to ensure the continuation of the espionage campaign,” Signia said.
The latest attack chain involves compromising a Cisco switch using CVE-2024-20399 and performing reconnaissance, then moving to more network devices and eventually executing a backdoored binary using a malicious script.
The payload, named VELVETSHELL, is a combination of two open source tools, a Unix backdoor called A tiny shell and called proxy utility 3 proxy. It also supports the ability to execute arbitrary commands, download/upload files, and establish tunnels to proxy network traffic.
“Velvet Ant’s modus operandi highlights the risks and issues surrounding third-party devices and software within organizations,” the company said. “Due to the ‘black box’ nature of many devices, every piece of hardware or software can become an attack surface that an adversary can exploit.”
