Chinese Hackers Exploit Cisco Vulnerability To Deliver Malware

Uploaded on 2024-07-09 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Researchers at cybersecurity firm Sygnia have uncovered a Chinese cyber espionage campaign targeting a newly discovered command injection vulnerability in Cisco’s Cisco NX-OS software. They discovered the vulnerability and its exploitation as part of an ongoing forensic investigation of a threat group it has dubbed Velvet Ant.

The vulnerability, tracked as CVE-2024-20399, concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

"By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices" Sygnia said in a statement.

Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command.

Furthermore, it enables a user with administrator privileges to execute commands without triggering system syslog messages, thereby making it possible to conceal the execution of shell commands on hacked appliances.

Despite the code execution capabilities of the flaw, the lower severity is due to the fact that successful exploitation requires an attacker to be already in possession of administrator credentials and have access to specific configuration commands.

The following devices are impacted by CVE-2024-20399:

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches, and
  • Nexus 9000 Series Switches in standalone NX-OS mode

Velvet Ant was first documented by the Israeli cyber security firm in connection with a cyber attack targeting an unnamed organisation located in East Asia for a period of about three years by establishing persistence using outdated F5 BIG-IP appliances in order to stealthily steal customer and financial information.

Despite difficulties in exploiting flaws like CVE-2024-20399, sophisticated threat actors, such as Velvet Ant, tend to target insufficiently protected network appliances for persistent access to enterprise environments.

Sygnia     |     Cisco     |     Cyber Daily   |   Security Affairs     |     Security Week   |    TheHacker News    

Image: Ideogram

You Might Also Read: 

Attacks Against Cisco Firewall Platforms:  

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Inside The Mind Of A CISO
Half Of Employees Don’t Report Security Mistakes »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Cyber Together

Cyber Together

Cyber Together is dedicated to advancing the cyber security industry by giving businesses access to Israel’s leaders, innovators and great minds in the field of cyber security.

CCL Solutions Group

CCL Solutions Group

CCL is one of Europe’s leading digital investigation specialists, supporting law enforcement, government and organisations across both public and private sectors.

tietoevry

tietoevry

Tietoevry creates digital advantage for businesses and society. We are a leading digital services and software company with local presence and global capabilities.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

ABL Cyber Academy

ABL Cyber Academy

ABL provide certified training courses in the field of cyber security and IT project management.

VADO Security Technologies

VADO Security Technologies

VADO Security enables the safe transfer of data between low & high security networks.

ThreatSpike Labs

ThreatSpike Labs

ThreatSpike Labs provides the first end-to-end fully managed security service for companies of all sizes.

FraudHunt

FraudHunt

FraudHunt protects your website from account fraud, ad fraud, fraud clicks, and malicious bots.

Theta432

Theta432

THETA432 is a cybersecurity firm that provides 24/7/365 managed prevention, detection, response, Hybrid SOC, cyber defense monitoring services with dynamically defined defense (3D™).

ProCheckUp

ProCheckUp

ProCheckUp is a London-based independent provider of cyber security services, including IT Security, Assurance, Compliance and Incident Response.

Votiro

Votiro

Votiro is an award-winning cybersecurity company that specializes in file sanitization, ensuring every organization is safe from zero-day and undisclosed attacks.

rSolutions

rSolutions

rSolutions delivers managed cybersecurity services to clients in many industry sectors including financial services, telecommunications, energy, government and retail.

AuthX

AuthX

AuthX provides secure and seamless log-in capabilities through strong authentication and integrations.

Beazley Security

Beazley Security

Beazley Security is a global cyber security firm committed to helping clients develop true cyber resilience: the ability to withstand and recover from any cyberattack.

HCLTech

HCLTech

HCLTech is a global technology company delivering industry-leading capabilities centered around digital, engineering, cloud and AI, powered by a broad portfolio of technology services and products.