San Francisco, CA – Cybersecurity experts have identified a China-related cyber espionage group known as Velvet Ant exploiting a zero-day vulnerability in Cisco NX-OS Software used in its switches. This flaw allows attackers to deliver malware and gain unauthorized access to compromised devices, posing serious threats to cybersecurity.
The vulnerability, officially known as CVE-2024-20399 and rated with a CVSS score of 6.0, permits attackers to execute arbitrary commands as root on affected devices. By exploiting this flaw, Velvet Ant successfully deployed custom malware, granting them remote access to compromised Cisco Nexus devices to carry out malicious activities.
According to cybersecurity firm Sygnia, the flaw stems from a lack of validation of arguments passed to specific configuration CLI commands, enabling adversaries to execute commands without triggering system syslog messages. This flaw potentially allows attackers to conceal their actions on hacked appliances, making detection and identification more challenging for cybersecurity teams.
Although the severity of the vulnerability is lower due to the requirement of administrator credentials for successful exploitation, a wide range of Cisco devices are impacted. Devices affected by CVE-2024-20399 include MDS 9000 Series Multilayer Switches, Nexus 3000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, and Nexus 9000 Series Switches in standalone NX-OS mode.
Velvet Ant made headlines last month when it was first discovered by an Israeli cybersecurity firm during a cyber attack targeting an organization in East Asia. The threat group utilized outdated F5 BIG-IP appliances to steal sensitive data over a three-year period, highlighting the importance of monitoring network appliances to identify and mitigate malicious activities.
In a separate incident, threat actors are exploiting a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers, leading to information disclosure and account information theft. The exploitation of this vulnerability, designated as CVE-2024-0769 with a CVSS score of 9.8, poses long-term risks as the affected product is End-of-Life and will not receive patches.
Overall, the rise in cyber threats underscores the importance of proactive cybersecurity measures to secure network infrastructure and protect against potential breaches. Organizations are encouraged to stay vigilant, monitor their network devices closely, and implement necessary security patches to mitigate the risk of cyber attacks.