China-Linked Velvet Ant Exploits Zero-Day Flaw in Cisco NX-OS Software

A China-nexus cyber espionage group, Velvet Ant, has been identified exploiting a zero-day vulnerability in Cisco NX-OS Software used in its network switches to deploy malware. The flaw, tracked as CVE-2024-20399, has a CVSS score of 6.0 and involves a command injection vulnerability that allows authenticated, local attackers to execute arbitrary commands as root on affected devices.

Details of the Vulnerability

According to discovering cybersecurity firm Sygnia, Velvet Ant exploited this vulnerability to execute a custom malware that enabled remote connection to compromised Cisco Nexus devices. This allowed the attackers to upload additional files and execute code on the devices.

The vulnerability arises from insufficient validation of arguments passed to specific configuration CLI commands. This lack of validation allows adversaries to exploit the flaw by including crafted input as the argument of an affected command. Importantly, this vulnerability enables administrators to execute commands without generating syslog messages, effectively concealing the execution of shell commands on compromised devices.

Affected Devices

The following Cisco devices are impacted by CVE-2024-20399:

  • MDS 9000 Series Multilayer Switches

  • Nexus 3000 Series Switches

  • Nexus 5500 Platform Switches

  • Nexus 5600 Platform Switches

  • Nexus 6000 Series Switches

  • Nexus 7000 Series Switches

  • Nexus 9000 Series Switches (in standalone NX-OS mode)


Despite the critical nature of the flaw, its severity is mitigated by the requirement for attackers to possess administrator credentials and access specific configuration commands.

Discovery and Response

Sygnia uncovered the exploitation of CVE-2024-20399 during a broader forensic investigation over the past year. Cisco became aware of attempted exploitation of the vulnerability in April 2024. Velvet Ant, first documented by Sygnia last month, had been targeting an unnamed organization in East Asia for approximately three years, using outdated F5 BIG-IP appliances to steal customer and financial information stealthily.

Sygnia’s Director of Incident Response, Amnon Kushnir, emphasized the sophistication of Velvet Ant: “We discovered this vulnerability during a larger forensic investigation into China’s Velvet Ant cyberespionage group. The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files, and execute malicious code.”

Importance of Network Monitoring

The incident highlights a significant issue in network security: the insufficient monitoring of network appliances. Sygnia noted, “Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system. This lack of monitoring creates significant challenges in identifying and investigating malicious activities.”

Broader Cybersecurity Implications

This development comes as threat actors also exploit a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8), which enables the extraction of account details due to a path traversal issue. GreyNoise, a threat intelligence firm, noted that this product is End-of-Life and will not receive patches, posing long-term exploitation risks.

Recommendations

In response to the Cisco NX-OS vulnerability, Cisco has released software updates to address the issue. Organizations are urged to install these updates on licensed devices promptly. Kushnir advises, “We recommend installing these on licensed devices as soon as possible. Additionally, we advise that enterprise organizations implement prevention and hardening strategies to improve defenses, such as restricting administrative access to specific network addresses, using central authentication, authorization and accounting management for users, bolstering password hygiene and policies, restricting outbound internet access for devices, and adhering to regular patch and vulnerability management practices.”

The Velvet Ant exploitation of the Cisco NX-OS vulnerability underscores the critical need for robust cybersecurity measures and continuous monitoring of network devices. As cyber threats become more sophisticated, organizations must enhance their security protocols to prevent unauthorized access and mitigate the risks associated with such vulnerabilities.