Cyber security news for all


    Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

    A cyber espionage faction associated with China, dubbed Velvet Ant, has been detected leveraging an unpatched vulnerability in Cisco NX-OS Software embedded within its switches to propagate malicious software.

    The vulnerability, cataloged as CVE-2024-20399 (CVSS score: 6.0), represents a command injection predicament enabling an authenticated, local assailant to execute arbitrary commands as root on the compromised device’s underlying operating system.

    “By exploiting this vulnerability, Velvet Ant succeeded in deploying a hitherto unknown custom malware that facilitated remote connectivity to compromised Cisco Nexus devices, permitting the upload of supplementary files and the execution of code on said devices,” cybersecurity firm Sygnia disclosed in a communiqué shared with The Hacker News.

    Cisco has identified that the flaw originates from inadequate validation of arguments passed to particular configuration CLI commands, which can be exploited by an adversary using specifically crafted input as the argument of an affected configuration CLI command.

    Furthermore, it empowers an administrator to execute commands without triggering system syslog messages, thereby obfuscating the execution of shell commands on infiltrated appliances.

    Despite the capability for code execution inherent in the flaw, its lower severity is attributed to the necessity for an attacker to already possess administrator credentials and access to specific configuration commands. The following devices are susceptible to CVE-2024-20399:

    • MDS 9000 Series Multilayer Switches
    • Nexus 3000 Series Switches
    • Nexus 5500 Platform Switches
    • Nexus 5600 Platform Switches
    • Nexus 6000 Series Switches
    • Nexus 7000 Series Switches
    • Nexus 9000 Series Switches in standalone NX-OS mode

    Velvet Ant was initially chronicled by the Israeli cybersecurity firm last month, linked to a cyber incursion targeting an undisclosed organization in East Asia for approximately three years by maintaining persistence via outdated F5 BIG-IP appliances to clandestinely pilfer customer and financial data.

    “Network appliances, particularly switches, are seldom scrutinized, and their logs are infrequently relayed to a centralized logging system,” Sygnia stated. “This deficiency in monitoring engenders significant obstacles in detecting and probing nefarious activities.”

    This development coincides with threat actors exploiting a critical vulnerability impacting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8) – a path traversal issue resulting in information disclosure – to amass account information such as usernames, passwords, groups, and descriptions for all users.

    Recent Articles

    Related Stories