Chinese Velvet Ant Uses Cisco Zero-Day to Deploy Custom Malware
A Chinese cyber espionage group has been observed deploying custom malware after jailbreaking a Cisco switch appliance using a recently discovered zero-day exploit.
While investigating the attack techniques of Velvet Ant, an advanced persistent threat (APT) group believed to be sponsored by China, cybersecurity firm Sygnia discovered in July 2024 that the group had exploited a zero-day command injection vulnerability in Cisco’s NX-OS (CVE-2024-20399).
NX-OS is a network operating system designed specifically for Cisco’s Nexus-series switches.
In a new August 22 report, Sygnia reveals that the threat actor used the zero-day exploit to deploy custom malware.
Leveraging a Zero-Day to Deploy Malware
The zero-day exploit allows an attacker with valid administrator credentials to the switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system.
Exploiting this vulnerability allowed Velvet Ant to compromise and control on-premises Cisco switch appliances and use them as a main pivot to access additional network devices, allowing for clear identification of additional activities originating from known compromised locations.
Following the exploitation, Velvet Ant deployed tailored malware, which runs on the underlying operating system and is invisible to common security tools.
The malware, that Sygnia called VelvetShell, is a hybrid customized version of two open-source tools: TinyShell, a Unix backdoor and a proxy tool named 3proxy.
With this escalating evasion tactic, the APT group can maintain long-term network persistence, which is critical when deploying a cyber espionage campaign.
Cisco released a fix for this vulnerability on July 1, 2024.
A few days later, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog.
Velvet Ant’s Multi-Year Intrusion Campaigns
This zero-day exploit was part of a multi-year intrusion campaign detected by Sygnia in 2023.
The campaign included the exploitation of several footholds in the target organizations’ networks.
This sophisticated approach indicates a comprehensive understanding of the target’s environment, Sygnia noted in campaign analysis.
“Over the years of espionage activities, Velvet Ant increased their sophistication, using evolving tactics to continue their cyber operations in a victim network – from operating on ordinary endpoints, shifting operations to legacy servers and finally moving towards network appliances and using 0-days” The firm commented.
“The determination, adaptability and persistence of such threat actors highlights the sensitivity of a holistic response plan not only to contain and mitigate the threat but also monitor the network for additional attempts to exploit the network,” the Sygnia researchers concluded.
Photo credit: pchow98/Flickr