In a recent cybersecurity breach, Chinese state-backed hackers known as Velvet Ant have exploited a newly patched zero-day vulnerability in Cisco Nexus switches. Identified as CVE-2024-20399, this critical flaw resides in the command-line interface (CLI) of Cisco NX-OS software and was patched on July 2, 2024. Despite the vulnerability requiring administrator privileges for exploitation, the attackers successfully leveraged it to execute arbitrary commands as root on targeted devices.
The vulnerability arises from insufficient validation of arguments passed to specific configuration CLI commands. An attacker can exploit this weakness by supplying crafted input as the argument for an affected configuration command, leading to arbitrary command execution on the underlying operating system with root privileges. Although the bug received a CVSS score of only 6 due to its prerequisites, the sophisticated threat group Velvet Ant managed to exploit it in an attack discovered in April, before the patch was available.
According to security vendor Sygnia, the exploitation involved the deployment of a previously unknown custom malware. This malware allowed Velvet Ant to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices. The incident underscores the tendency of advanced threat actors to target network appliances, which are often insufficiently protected and monitored, to maintain persistent access to networks. This highlights the critical importance of adhering to security best practices to defend against such sophisticated threats.
Sygnia has urged Cisco customers to bolster their security measures. Recommendations include improving centralized logging, enhancing network monitoring for switches, enforcing regular patching, practicing good password hygiene, and restricting admin access. This breach demonstrates the persistent risk posed by advanced cyber-espionage groups like Velvet Ant and emphasizes the necessity for robust security practices to safeguard critical network infrastructure.
Reference:
