Cisco Patches NX-OS Zero-Day Exploited by Chinese Threat Actor Velvet Ant

July 1, 2024

Cisco Systems has rectified a zero-day vulnerability in its NX-OS software that was exploited by threat actors in attacks that took place in April. The attackers leveraged this vulnerability to install a novel form of malware with root access on susceptible switches.

The cybersecurity company, Sygnia, discovered and reported these incidents to Cisco. Sygnia attributed the attacks to a Chinese state-sponsored threat group it identifies as Velvet Ant. Amnon Kushnir, the Director of Incident Response at Sygnia, stated, "Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant."

The malicious actors managed to gather administrator-level credentials, which allowed them to access Cisco Nexus switches. They used this access to deploy a hitherto unknown custom malware, enabling them to remotely connect to the compromised devices, upload more files, and execute malicious code.

According to Cisco, the vulnerability, designated as CVE-2024-20399, can be exploited by local attackers with Administrator privileges to execute arbitrary commands with root permissions on the underlying operating systems of the vulnerable devices. Cisco further explained, "This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root."

The vulnerability also allows attackers to execute commands without triggering system syslog messages, effectively enabling them to hide signs of compromise on hacked NX-OS devices. Cisco has recommended that customers regularly monitor and change the credentials of network-admin and vdc-admin administrative users. Cisco's Software Checker page can be used by admins to check if their network devices are vulnerable to attacks targeting the CVE-2024-20399 vulnerability.

In a separate incident in April, Cisco had warned about a state-sponsored hacking group, identified as UAT4356 and STORM-1849, exploiting multiple zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. This campaign, called ArcaneDoor, targeted government networks worldwide. The hackers used these vulnerabilities to install previously unknown malware that allowed them to maintain persistence on compromised ASA and FTD devices. However, the initial attack vector used by the attackers to breach the victims' networks remains unidentified by Cisco.

Last month, Sygnia reported that Velvet Ant had targeted F5 BIG-IP appliances with custom malware in a cyberespionage campaign. In this campaign, they maintained persistent access to their victims' networks, surreptitiously stealing sensitive customer and financial information for three years without being detected.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.