Details have emerged about Velvet Ant, a China-based cyber threat group exploiting a recently disclosed security flaw in Cisco switches (CVE-2024-20399). This vulnerability, with a CVSS score of 6.0, allowed Velvet Ant to gain control over the affected switches by escaping the NX-OS command line interface and executing arbitrary commands on the underlying Linux operating system. The group used this zero-day exploit to deliver customized malware, facilitating data exfiltration and maintaining persistent access to the compromised systems.
Velvet Ant’s activities were first observed earlier this year when they targeted an unnamed organization in East Asia. The group initially infiltrated new Windows systems before transitioning to legacy Windows servers and network devices, a tactic designed to evade detection. Their sophisticated techniques include moving from internal network devices to maintain their espionage campaign, highlighting their ability to adapt and escalate their methods.
The attack chain involved breaching a Cisco switch appliance using the CVE-2024-20399 vulnerability, conducting reconnaissance, and pivoting to additional network devices. The attackers eventually executed a backdoor payload called VELVETSHELL, a combination of two open-source tools: Tiny SHell and 3proxy. This payload enabled them to execute commands, transfer files, and create tunnels for proxying network traffic, further embedding their presence within the compromised environment.
The activities of Velvet Ant underscore the risks associated with third-party appliances and applications, particularly those with a “black box” nature. These devices can become significant attack surfaces, as demonstrated by this campaign. Cisco has since issued security updates to address the flaw, but the incident serves as a reminder of the critical need for robust security measures in safeguarding network infrastructure.
Reference:
