Velvet Ant Exploits Cisco Zero-Day Flaw For System Control
In light of recent cybercrime events, details pertaining to the Cisco zero-day flaw that has now been patched have emerged. As per the details, the flaw, if exploited, could allow threat actors to seize control of appliances and aid in evading detection. In the article, we’ll dive deep into the Cisco zero-day flaw and determine its severity.
Cisco Zero-Day Flaw Initial Discovery
Cybercrime activity pertaining to the Cisco zero-day flaw has been attributed to threat actor Velvet Ant. The threat actor first caught the attention of researchers for involvement in a multi-year campaign that targeted an unnamed organization in East Asia.
The cybercrime activity observed earlier had a critical vulnerability severity score (CVSS) of 6.0 and involved the exploitation of CVE-2024-20399. The underlying aim of the activity was to deliver malware, gain control, exfiltrate data, and maintain persistent access.
Providing further details pertaining to the exploit, Sygnia, a cybersecurity company, stated that:
“The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary command on the Linux underlying operating system.”
Cisco Zero-Day Exploit Severity
The discovery of the exploitation of CVE-2024-20399 is what has prompted Cisco to issue an update pertaining to the security flaw. Such threat actors are known for sophisticated attack and shape-shifting tactics. They initially infiltrate Windows systems before moving to legacy Windows servers and network devices.
Infiltrating the servers and devices is what aids in evading detection. Commenting on the tactics, cybersecurity experts have stated that:
“The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign.”
The CVE-2024-20399 attack chain entails acquiring access and control to Cisco devices and then initiating reconnaissance activities. VELVERSHELL, the delivered payload, is developed using two open-source tools. In addition, a Unix backdoor named Tiny SHell and a proxy utility called 3proxy also play a role in its development.
It’s worth mentioning here that the payload is capable of executing arbitrary commands, establishing tunnels for proxying network traffic, and downloading and uploading files. Commenting on the severity, Sygnia has stated that:
“The modus-operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and applications that organizations onboard. Due to the ‘black box’ nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit.”
Conclusion
The exploitation of the Cisco zero-day flaw by Velvet Ant reveals the evolving tactics of threat actors in targeting network devices to evade detection and maintain control. As the attack chain demonstrates, vulnerabilities like CVE-2024-20399 pose serious risks, especially when combined with sophisticated payloads like VELVETSHELL.
This incident emphasizes the importance of regular security updates, vigilance in monitoring network traffic, scrutiny of third-party appliances, and the use of advanced security solutions to mitigate potential cybersecurity threats effectively.
The source for this piece includes articles in The Hacker News and Security Week.