Cisco recently addressed a critical zero-day vulnerability (CVE-2024-20399) in its NX-OS software, exploited by a sophisticated Chinese state-sponsored group known as Velvet Ant. This group used the vulnerability to infiltrate and manipulate switches, leading to the installation of custom malware with root-level privileges.
Details of the Exploitation
In April, the cybersecurity firm Sygnia uncovered the exploitation during an extensive forensic investigation into Velvet Ant's activities. This Chinese cyberespionage group had gained administrator-level access to Cisco Nexus switches and leveraged the zero-day flaw to install previously unknown malware.
The attackers exploited the vulnerability by passing maliciously crafted input to specific configuration CLI commands, enabling them to execute arbitrary commands with root permissions on the devices' operating systems. This allowed them to remotely connect to compromised devices, upload additional files, and execute malicious code without triggering system logs, thereby evading detection.
Vulnerability Scope and Impact
The vulnerability affected several Cisco devices running NX-OS software, including:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
Cisco detailed that this flaw arises from insufficient validation of arguments passed to specific CLI commands. When exploited, the vulnerability grants attackers root-level access, allowing them to execute commands on the underlying operating system.
Cisco's Response and Recommendations
Cisco has released patches to address the CVE-2024-20399 vulnerability. The company urges customers to regularly monitor and change the credentials of network-admin and vdc-admin administrative users to mitigate potential risks. Admins can use the Cisco Software Checker tool to identify and update vulnerable devices within their networks.
Broader Implications and Past Incidents
This recent incident is part of a larger trend of sophisticated attacks against Cisco’s products:
- April 2024: Cisco warned about another state-backed group, identified as UAT4356 or STORM-1849, exploiting zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. This campaign, dubbed ArcaneDoor, targeted government networks globally, utilizing custom malware to maintain persistence and evade detection since November 2023.
- Previous Exploits: These hackers have been active since at least July 2023, developing exploits and conducting reconnaissance on the zero-day flaws. They have consistently used these vulnerabilities to install malware on ASA and FTD devices, though the initial attack vector remains unidentified.
Persistent Threats from Velvet Ant
Velvet Ant has a history of targeting high-value networks and devices. Last month, Sygnia reported that the group exploited F5 BIG-IP appliances with custom malware, maintaining a presence in victims' networks for up to three years to steal sensitive information. This long-term campaign was characterized by its stealth and persistence, making it difficult to detect and mitigate.
Cisco has released patches to address the CVE-2024-20399 vulnerability |
Conclusion
The recent patching of the NX-OS zero-day by Cisco highlights the ongoing threat posed by sophisticated cyberespionage groups like Velvet Ant. Organizations using affected Cisco devices should act promptly to apply updates and reinforce their security practices. This incident underscores the critical need for vigilant cybersecurity measures and the importance of timely patching in protecting against advanced persistent threats.