Cisco Switches Zero-Day Exploited by Chinese Hackers

2 Mins Read

PUREVPNNewsCisco Switches Zero-Day Exploited by Chinese Hackers

A cyber espionage group from China, known as Velvet Ant, has been discovered actively exploiting a critical zero-day vulnerability in Cisco’s NX-OS. This software runs on various Cisco switches, making them susceptible to malicious attacks that deploy custom malware. Learn more about it below!

Understanding the Vulnerability

The flaw, identified as CVE-2024-20399 with a CVSS score of 6.0, allows for a command injection vulnerability. This means an authenticated, local attacker can execute arbitrary commands with root privileges on the affected device’s operating system.

“By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices,” said Sygnia in a statement to The Hacker News.

Cisco has pinpointed the issue’s origin to inadequate validation of arguments passed to specific configuration CLI commands. An attacker can exploit this by inserting crafted input as the argument of a configuration CLI command.

Furthermore, the flaw provides administrators the ability to execute commands stealthily, without triggering system syslog messages. This capacity enables attackers to conceal their actions on the compromised devices.

Scope and Impact of the Cisco Zero-Day Flaw

Despite the significant capabilities this flaw presents, its severity is rated lower because it requires the attacker to have both administrator credentials and access to specific configuration commands. Affected devices include:

  • MDS 9000 Series Multilayer Switches
  • Nexus 7000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 3000 Series Switches
  • Nexus 6000 Series Switches
  • Nexus 5600 Platform Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode

Velvet Ant’s history traces back to at least a month ago when they were connected to attacks on an East Asian organization using compromised F5 BIG-IP appliances to steal sensitive data quietly.

“Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system,” highlighted Sygnia. This monitoring gap poses a significant challenge in detecting and addressing such malicious activities.

This report comes alongside revelations of another critical vulnerability being exploited. The affected device is the D-Link DIR-859 Wi-Fi router, which suffers from a path traversal issue (CVE-2024-0769, CVSS score: 9.8) leading to information disclosure, potentially revealing user account details.

Final Word

The Velvet Ant group exploiting a zero-day flaw in Cisco’s NX-OS software highlights the pressing need for heightened security measures on network devices. It is crucial for organizations to monitor network appliance logs actively and ensure that system vulnerabilities are addressed promptly to thwart such sophisticated cyber threats.

author

Anas Hasan

date

July 2, 2024

time

4 days ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Ethereum Mailing List Breach Exposes 35,000 Users to Crypto Draining Attack

Ethereum Mailing List Breach Exposes 35,000 Users to Crypto Draining Attack
Posted on July 5, 2024
Attackers Exploiting Microsoft MSHTML Flaw to Deploy MerkSpy Spyware

Attackers Exploiting Microsoft MSHTML Flaw to Deploy MerkSpy Spyware
Posted on July 4, 2024
Authy App Breach: Millions of Phone Numbers Compromised

Authy App Breach: Millions of Phone Numbers Compromised
Posted on July 4, 2024

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN