Chinese Hackers Exploiting Zero-Day Flaw in Cisco Switches to Deploy Malware

A sophisticated China-linked cyber espionage group, known as Velvet Ant, has been discovered exploiting a zero-day vulnerability in Cisco NX-OS Software to deploy custom malware on network switches.

The vulnerability, tracked as CVE-2024-20399, was identified by cybersecurity firm Sygnia during a forensic investigation and promptly reported to Cisco.

The flaw, which has a CVSS score of 6.0, allows an authenticated local attacker with administrator privileges to execute arbitrary commands as root on the underlying operating system of affected devices. Cisco has acknowledged the vulnerability, attributing it to insufficient validation of arguments passed to specific configuration CLI commands.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Velvet Ant’s exploitation of CVE-2024-20399 enabled the group to execute previously unknown custom malware on compromised Cisco Nexus devices. This malware facilitated remote connections to the devices, allowing attackers to upload additional files and execute further code.

“By investigating the accounting logs of the affected system, Sygnia discovered several suspicious Base64-encoded commands that were executed using valid administrative credentials”, reads Sygnia report.

The vulnerability affects multiple Cisco switch series, including MDS 9000, Nexus 3000, 5500, 5600, 6000, 7000, and 9000. Cisco has released software updates to address the issue and strongly recommends customers apply these patches promptly.

The VELVETSHELL malware combines elements of two open-source tools: TinyShell, a Unix backdoor, and 3proxy, a proxy tool.

The VELVETSHELL malware provides various capabilities, including executing arbitrary commands, downloading and uploading files, and creating tunnels to proxy network traffic.

Sygnia’s investigation revealed that Velvet Ant had been operating for about three years, establishing persistence in using outdated F5 BIG-IP appliances to steal customer and financial information stealthily.

The group’s sophisticated approach involves exploiting network vulnerabilities and targeting inadequately protected network appliances for long-term access.

Experts highlight that network appliances, particularly switches, are often not sufficiently monitored, with logs rarely forwarded to centralized logging systems. This lack of oversight creates significant challenges in detecting and investigating malicious activities.

While the vulnerability requires network access to the device and possession of administrator credentials, reducing the overall risk, it underscores the persistence of sophisticated threat actors in targeting critical infrastructure.

In response to this threat, organizations are advised to implement several mitigation strategies:

1. Apply the latest software updates provided by Cisco.
2. Implement robust monitoring systems for network appliances.
3. Regularly review and update administrator credentials.
4. Adopt security best practices to prevent unauthorized access.

As cyber threats continue to evolve, organizations must remain proactive in their approach to cybersecurity, ensuring that all aspects of their network infrastructure, including switches and other network appliances, are adequately protected and monitored.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces