It has been confirmed that the Chinese cyber espionage group Velvet Ant is exploiting a zero-day vulnerability in the Cisco NX-OS software used in its switches to distribute malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), involves a case of command injection that could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.
“By exploiting this vulnerability, Velvet Ant successfully executed previously unknown custom malware, allowing the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the device,” cybersecurity firm Sygnia said in a statement shared with The Hacker News.
According to Cisco, the issue is due to insufficient validation of arguments passed to certain configuration CLI commands, which an attacker could exploit by including crafted input as an argument to an affected configuration CLI command.
Additionally, users with administrative privileges can execute commands without triggering system syslog messages, making it possible to hide the execution of shell commands on a hacked appliance.
Despite the flaw having code execution capabilities, it is rated as less severe as it requires an attacker to already possess administrator credentials and have access to specific configuration commands. Devices affected by CVE-2024-20399 include:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches, and
- Nexus 9000 Series Switches in Standalone NX-OS Mode
Velvet Ants were first documented last month by an Israeli cybersecurity firm in connection to a cyber attack that targeted an unnamed organization in East Asia for about three years, using outdated F5 BIG-IP appliances to establish persistence in order to covertly steal customer and financial information.
“Network equipment, especially switches, are often not monitored, and their logs are often not forwarded to a centralized logging system,” Signia said. “Lack of monitoring makes it very difficult to identify and investigate malicious activity.”
This development comes as threat actors are exploiting a critical vulnerability (CVE-2024-0769, CVSS score: 9.8) affecting D-Link DIR-859 Wi-Fi routers (a path traversal issue leading to information disclosure) to gather account information such as names, passwords, groups, and descriptions of all users.
“Variations of this vulnerability allow for the extraction of account details from the device,” threat intelligence firm GreyNoise said. “As this product is no longer supported, it will not be patched and there is a long-term risk of exploitation. This vulnerability can be used to invoke multiple XML files.”
