China-Linked Hackers Discovered Exploiting Cisco NX-OS Vulnerability
The Velvet Ant threat group was recently observed deploying malware and executing code on vulnerable Cisco Nexus switches.
Cybersecurity researchers have uncovered a Chinese cyberespionage campaign targeting a recently discovered command injection vulnerability in Cisco’s Cisco NX-OS software.
Cybersecurity company Sygnia discovered the vulnerability and its exploitation as part of an ongoing forensic investigation into a threat group it has dubbed Velvet Ant.
The vulnerability, disclosed by Cisco as CVE-2024-20399 after being alerted by Sygnia, is located in the command line interface of Cisco NX-OS and affects a number of Nexus series switches and multilayer switches from the Cisco MDS 9000 series.
According to Cisco’s advisory, the “vulnerability is due to insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as an argument to an affected configuration CLI command. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.”
Cisco notes, however, that for this exploit to work, an attacker must have administrator credentials. The company has released updates to its software to address the vulnerability; There are no other solutions.
Sygnia did not say when it observed Chinese espionage activity, but said it observed hackers successfully executing commands on vulnerable hardware before deploying “previously unknown custom malware” that allowed them to remotely connect to compromised devices. This led to additional file uploads and increased code execution.
Sygnia also noted that the exploit requires administrator-level credentials as well as network access to a vulnerable Nexus switch.
“Despite the significant prerequisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to exploit network devices, which are often insufficiently secured and monitored, to maintain persistent access to the network. ” Sygnia researchers said in a blog post.
“The incident also underscores the critical importance of adhering to security best practices as mitigation against this type of threat.”
The affected devices are:
- MDS 9000 Series Multilayer Switches (CSCwj97007)
- Nexus 3000 Series Switches (CSCwj97009)
- Nexus 5500 Platform Switches (CSCwj97011)
- Nexus 5600 Platform Switches (CSCwj97011)
- Nexus 6000 Series Switches (CSCwj97011)
- Nexus 7000 Series Switches (CSCwj94682)
- Nexus 9000 Series Switches in Standalone NX-OS Mode (CSCwj97009)
Sygnia had previously noted that Velvet Ant was targeting a “large organization” in late 2023, leveraging “a legacy F5 BIG-IP device” to create an internal C&C node. Sygnia considers Velvet Ant to be a “sophisticated threat actor that exhibited robust capabilities and employed a methodical approach” to attacking its victims.