A China-linked cyber threat group known as Velvet Ant [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] has been exploiting a zero-day vulnerability in Cisco’s NX-OS network operating system on Nexus Switch appliances.

Description

Velvet Ant, identified by security firm Sygnia, has been exploiting a zero-day vulnerability (CVE-2024-20399) in Cisco’s NX-OS network operating system on Nexus Switch appliances. This vulnerability, which requires authenticated, local access, allowed the attackers to execute arbitrary commands as root on the underlying OS [8] [10], enabling lateral movement and persistence in compromised environments [7]. Velvet Ant demonstrated sophistication by creating a malicious library and executing commands to cover their tracks [7]. The custom malware [1] [2] [4] [5] [6] [7] [9] [10], named VELVETSHELL [1] [2] [3] [6] [9] [10], consisted of a combination of the Unix backdoor program TinyShell and proxy tool 3proxy [7]. This backdoor was injected into memory by masquerading a known process and deleted from the file system to avoid detection [7]. The group used valid administrator credentials to escape the NX-OS CLI and maintain persistent access, control compromised systems [1] [2] [3] [6] [9] [10], and conduct espionage activities [9] [10]. Velvet Ant’s activities were first observed targeting an organization in East Asia [3], utilizing sophisticated techniques to evade detection and escalate their methods [3]. The attack chain involved breaching a Cisco switch appliance [3], conducting reconnaissance [3], and pivoting to additional network devices [3]. The attackers deployed a backdoor payload called VELVETSHELL [3], enabling them to execute commands [3], transfer files [3], and create tunnels for proxying network traffic [3]. Cisco recommends monitoring administrative credentials and has provided tools to check for vulnerability [9]. The US CISA has added CVE-2024-20399 to its Known Exploited Vulnerabilities catalog [9], highlighting the severity of the threat posed by state-sponsored APT groups like Velvet Ant [9]. This incident raises concerns about the security of third-party appliances and applications that organizations use [1] [2], as each piece of hardware or software could potentially be exploited by adversaries [1] [2]. Organizations should prioritize patching and monitor network traffic for signs of unauthorized access [6], especially in environments using legacy systems or third-party appliances [6].

Conclusion

The exploitation of the zero-day vulnerability by Velvet Ant highlights the importance of proactive security measures, such as patching vulnerabilities and monitoring network traffic. Organizations must be vigilant in protecting their systems from sophisticated cyber threats and should consider the security implications of using third-party appliances and applications. The incident serves as a reminder of the ongoing threat posed by state-sponsored APT groups and the need for continuous monitoring and mitigation strategies to safeguard against cyber attacks.

References

[1] https://www.scmagazine.com/brief/zero-day-cisco-switch-bug-being-exploited-by-cyber-actors
[2] https://www.channele2e.com/brief/attackers-leverage-zero-day-cisco-switch-bug
[3] https://cybermaterial.com/chinese-hackers-exploit-cisco-switch-flaw/
[4] https://www.infosecurity-magazine.com/news/chinese-velvet-ant-cisco-0day/
[5] https://thecyberwire.com/newsletters/daily-briefing/13/162
[6] https://bragg.substack.com/p/daily-drop-848-us-cn-backchannel
[7] https://www.csoonline.com/article/3493381/chinese-apt-group-velvet-ant-deployed-custom-backdoor-on-cisco-nexus-switches.html
[8] https://thecyberthrone.in/2024/08/24/velvet-ant-apt-exploits-cisco-bug-cve-2024-20399/
[9] https://zerosecurity.org/2024/08/china-linked-apt-group-velvet-ant-exploits-cisco-zero-day-cve-2024-20399-vulnerability/
[10] https://securityaffairs.com/167423/apt/china-velvet-ant-zero-day-cisco-switches.html