Velvet Ant Exploits Cisco Zero-Day Flaw
Recent events in the cybersecurity landscape have brought to light the activities of a China-nexus cyber espionage group known as Velvet Ant. The threat actor group has been observed exploiting a zero-day flaw in the Cisco NX-OS software. In this article, we’ll learn more about the vulnerability and its exploitation. Let’s begin!
Uncovering The Cisco Zero-Day Flaw
As per recent media reports, the Cisco NX-OS vulnerability has been tracked as CVE-2024-20399. Currently, it has a critical vulnerability severity score (CVSS) of 6.0. However, it can allow threat actors like the China-nexus cyber espionage, Velvet Ant, to have the ability to execute arbitrary code.
As a result of an exploitation of the vulnerability, the code can be executed on the underlying operating system of a compromised device. Commenting on the vulnerability, a cybersecurity firm, Sygnia, has stated that:
“By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.”
Severity Of CVE-2024-20399
A threat entailing a successful exploitation of CVE-2024-20399 is quite concerning given that it empowers hackers to have code execution capabilities. However, this zero-day flaw still has a low severity score.
The justification for such a score is that successful exploitation of the zero-day flaw would require the threat actor to have access to administrator credentials and specific configuration commands. As of now, the devices affected by the zero-day flaw include the following:
- MDS 9000 Series Multilayer Switches.
- Nexus 3000 Series Switches.
- Nexus 5500 Platform Switches.
- Nexus 5600 Platform Switches.
- Nexus 6000 Series Switches.
- Nexus 7000 Series Switches.
- Nexus 9000 Series Switches in standalone NX-OS mode.
Cybersecurity Zero-Day Flaw Discovery
As per the report made available from Syngia, wild exploitation attempts of the zero-day flaw were first discovered during an investigation that took place last year. Cisco has stated that it became aware of the vulnerability in April 2024.
Threat actor activity of Velvet Ant was first documented by an Israeli cybersecurity firm last month. The activity was in relation to a cyber attack targeting an organization in East Asia.
During that attack, threat actors developed persistence using outdated F5 and BIG-IP appliances to acquire customer and financial information. Provided further insights, the cyber security firm stated that:
“Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system. This lack of monitoring creates significant challenges in identifying and investigating malicious activities.”
Commenting on the zero-day flaw exploits, Cisco has said that the issue stems from insufficient validation of arguments passed through CLI commands for specific configurations.
Conclusion
The exploitation of the zero-day flaw in Cisco switches by Velvet Ant underscores the persistent threat posed by cyber espionage groups. This incident highlights the critical need for proactive security protocols and continuous monitoring of network appliances.
It also emphasizes the importance of timely patch management and regular security audits to prevent similar vulnerabilities. Staying informed about emerging threats and maintaining up-to-date defenses are crucial steps in safeguarding the digital ecosystem.
The sources for this piece include articles in The Hacker News and The Record.