Chinese Cybercriminals Exploiting Cisco Switches Zero-Day to Distribute Malware
An espionage group with ties to China called Velvet Ant has been identified exploiting a previously unknown security flaw in Cisco NX-OS Software used in its switches to disseminate malicious software.
The weakness, identified as CVE-2024-20399 (CVSS score: 6.0), involves a situation of command injection that empowers an authenticated, local attacker to carry out arbitrary commands as root on the underlying operating system of an impacted device.
“By taking advantage of this vulnerability, Velvet Ant effectively utilized a custom malware that was not previously known, enabling the threat group to establish remote connections to compromised Cisco Nexus devices, transfer additional files, and execute code on the devices,” cybersecurity company Sygnia stated in a communication shared with The Hacker News.
Cisco revealed that the problem arises from the inadequate validation of arguments passed to certain configuration CLI commands, which could be exploited by an opponent by integrating crafted input as the argument of an affected configuration CLI command.
Furthermore, it grants a user with administrator privileges the ability to execute commands without triggering system syslog messages, consequently, allowing the concealing of the execution of shell commands on compromised devices.
Despite the flaw’s execution capabilities, its lower severity is attributed to the need for an attacker to already possess administrator credentials and have access to specific configuration commands to successfully exploit it. The following devices are impacted by CVE-2024-20399 –
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches, and
- Nexus 9000 Series Switches in standalone NX-OS mode
Velvet Ant was initially documented by the Israeli cybersecurity firm last month in relation to a cyber assault aimed at an undisclosed organization situated in East Asia for a duration of roughly three years, establishing persistence by utilizing outdated F5 BIG-IP appliances to surreptitiously pilfer customer and financial data.
“Network appliances, especially switches, are commonly not under surveillance, and their logs are frequently not forwarded to a centralized logging system,” Sygnia remarked. “This absence of monitoring poses substantial challenges in the identification and investigation of malicious activities.”
This development occurs as threat actors are taking advantage of a severe vulnerability impacting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8) – a path traversal problem leading to information exposure – to collect account details such as names, passwords, groups, and descriptions for all users.
“Various iterations of the exploit […] facilitate the extraction of account specifics from the device,” threat intelligence company GreyNoise pointed out. “Since the product is End-of-Life, there will be no patch available, posing enduring exploitation risks. Multiple XML files can be invoked utilizing the vulnerability.”
About Author
