Dive Brief:
- A suspected threat actor with ties to China is actively exploiting a zero-day vulnerability in Cisco NX-OS software, researchers said Monday.
- The suspected actor, dubbed Velvet Ant, is exploiting a command injection vulnerability, identified as CVE-2024-20399, which impacts a wide range of Cisco Nexus devices, according to researchers at Sygnia. The vulnerability has a CVSS score of 6.0, however researchers warn the threat actor is highly sophisticated and is deploying custom malware, Sygnia.
- Cisco on Monday released software updates for some NX-OS hardware platforms, and will continue to release additional fixes when they are ready. The company said there are no other workarounds to address the flaw.
Dive Insight:
Sygnia discovered the exploitation as part of a larger investigation into Velvet Ant's espionage work and found that the threat actor has been operating on a victim’s computer network for three years.
During the prior investigation, researchers discovered the suspected state-sponsored actor maintaining persistence on a legacy F5 BIG-IP appliance that was exposed to the internet.
Sygnia discovered threat activity against Cisco Nexus devices earlier this year and reported it to the company.
Cisco Nexus devices are often used as backbone switches for data centers, according to Amnon Kushnir, director of incident response at Sygnia. The ability of the hacker to gain root access to the Linux-based operating system and deploy custom malware makes the threat activity particularly challenging.
Network appliances — and switches in particular — are often not monitored and the logs are usually not sent to a centralized logging system, according to Sygnia researchers. The custom malware allowed the hacker to “enable code execution and traffic tunneling,” so once the malware was deployed, the hackers no longer needed to log in to gain access to the network.
The Cybersecurity and Infrastructure Security Agency has added the bug to its Known Exploited Vulnerabilities catalog. The vulnerability can allow an attacker to execute arbitrary commands with the privileges of root. However, the attackers must have administrator credentials to exploit the vulnerability.