Recent reports indicate that a cyber espionage group with connections to China, known as Velvet Ant, has been exploiting a zero-day vulnerability in Cisco’s NX-OS Software utilized in their switching devices to execute malware. This security gap, identified as CVE-2024-20399 with a CVSS score of 6.0, involves a command injection flaw allowing an authenticated local attacker to run arbitrary commands with root privileges on affected systems.
In a statement shared with The Hacker News, cybersecurity firm Sygnia detailed how Velvet Ant leveraged this vulnerability to deploy a previously unknown variant of custom malware. This malware enables the threat actors to remotely access compromised Cisco Nexus devices, upload additional files, and execute commands on those devices. The underlying issue arises from inadequate validation of arguments passed to specific configuration command-line interface (CLI) operations, which malicious actors can exploit through crafted input.
This vulnerability additionally allows users holding administrative privileges to execute commands without generating syslog messages. This capability poses a significant risk, as it could facilitate the stealthy execution of shell commands on compromised devices, evading detection and complicating remediation efforts. Although the flaw permits code execution, its moderate severity rating stems from the requirement for attackers to possess administrative credentials and detailed access to specific CLI commands.
The Cisco devices vulnerable to CVE-2024-20399 include several models across the Nexus series, such as the Nexus 3000, 5000, 6000, 7000, and 9000 series switches, as well as MDS 9000 Series Multilayer Switches. Sygnia discovered exploitation of this vulnerability during a forensic investigation spanning the past year. Cisco acknowledged awareness of attempted exploitations beginning in April 2024.
Velvet Ant was previously documented by an Israeli cybersecurity firm as engaging in prolonged cyber intrusions targeting an undisclosed organization in East Asia. This campaign, lasting approximately three years, involved establishing persistence using outdated F5 BIG-IP appliances to quietly exfiltrate customer and financial data.
As Sygnia pointed out, network appliances, especially switches, often go unmonitored, and their logs are infrequently integrated into centralized logging systems. This lack of oversight presents substantial barriers to identifying and analyzing malicious activities within these critical infrastructure components.
The situation carries heightened significance in light of concurrent threats, as threat actors are currently exploiting a separate critical vulnerability affecting D-Link DIR-859 Wi-Fi routers, identified as CVE-2024-0769, which presents a path traversal issue leading to information disclosure. This ongoing exploitation narrative underscores the importance of vigilance in cybersecurity practices, particularly regarding devices that may lack robust monitoring frameworks.
