Cisco’s NX-OS zero-day vulnerability (CVE-2024-20399) has been actively exploited by the Chinese state-sponsored threat actor known as Velvet Ant, highlighting the urgent need for cybersecurity professionals and network administrators to secure affected systems.
In a forensic investigation led by Sygnia, it was discovered that Velvet Ant gained administrator-level credentials to access Cisco Nexus switches and deploy custom malware. This malware enabled the attackers to remotely connect to compromised devices, upload additional files, and execute malicious code.
“The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware,” stated Amnon Kushnir, Director of Incident Response at Sygnia.
Cisco’s vulnerability, due to insufficient validation of arguments passed to specific configuration CLI commands, can be exploited by local attackers with administrator privileges to execute arbitrary commands with root permissions on vulnerable devices. The company explains, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”
The affected devices include multiple Cisco Nexus switches, such as the Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in standalone NX-OS mode. Additionally, MDS 9000 Series Multilayer Switches are also impacted. The flaw allows attackers to execute commands without triggering system syslog messages, thus concealing signs of compromise.
To mitigate the risk, Cisco advises customers to monitor and change the credentials of network-admin and vdc-admin administrative users regularly. Admins can use the Cisco Software Checker page to determine whether their devices are exposed to attacks targeting the CVE-2024-20399 vulnerability.
This incident follows a series of state-backed hacking campaigns. In April, Cisco warned about a group (tracked as UAT4356 and STORM-1849) exploiting multiple zero-day bugs (CVE-2024-20353 and CVE-2024-20359) in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. These vulnerabilities, exploited since November 2023 in a campaign dubbed ArcaneDoor, targeted government networks worldwide. The hackers developed exploits for these zero-day flaws since at least July 2023, allowing them to maintain persistence on compromised ASA and FTD devices.
Last month, Sygnia reported that Velvet Ant targeted F5 BIG-IP appliances with custom malware in a cyberespionage campaign, using persistent access to stealthily steal sensitive customer and financial information for three years without detection.
In conclusion, the exploitation of the NX-OS zero-day vulnerability by Velvet Ant underscores the critical need for immediate action. Cybersecurity professionals and network administrators must implement Cisco’s recommended security measures to protect their networks from this sophisticated threat.