In a recent cyber attack development, China-nexus hackers, known as Velvet Ant, were able to exploit a zero-day vulnerability in Cisco’s NX-OS software back in April. This allowed the hackers to execute arbitrary commands on compromised devices, posing a significant threat to cybersecurity.
Cisco addressed this critical issue on Monday by releasing a patch for the zero-day vulnerability. The discovery of this exploit was credited to cybersecurity firm Sygnia, who identified the remote connection made by Velvet Ant to the NX-OS software used in Cisco switches. The hacker group was able to execute malicious code, gaining root access to the compromised devices.
The vulnerability, tracked as CVE-2024-20399, enabled authenticated local attackers to run commands as root, highlighting the severity of the flaw. This type of command injection vulnerability can be particularly dangerous as it allows attackers to execute commands without triggering system syslog messages, making it challenging to detect malicious activities.
Despite the potential for code execution and the prevalence of Cisco Nexus switches in enterprise environments, the vulnerability is rated relatively low on the Common Vulnerability Scoring System (CVSS) scale. The reason for this lower rating is the requirement for attackers to already have admin credentials and specific command configurations to successfully exploit the vulnerability. Additionally, most Nexus switches are not directly exposed to the internet, further limiting the threat surface for potential attacks.
However, this incident underscores the trend of sophisticated threat groups leveraging network appliances, like switches, to maintain persistent access within corporate networks. Network appliances are often overlooked in terms of security measures, making them attractive targets for cybercriminals seeking to infiltrate organizations.
In a related incident, the same threat actor used outdated F5 BIG-IP appliances to deploy custom malware and steal sensitive data from an East Asian company. The malicious campaign went undetected for three years, underscoring the need for increased vigilance and proactive security measures within organizations.
To mitigate the risk posed by this zero-day vulnerability, Cisco recommends that companies update their admin credentials and closely monitor network activity. Admins can also utilize Cisco’s software checker page to assess their devices’ exposure and take necessary precautions to prevent potential attacks.
Overall, the exploitation of this zero-day vulnerability by China-nexus hackers highlights the ongoing threat of cyber attacks and the importance of robust security practices to safeguard against advanced threats in today’s digital landscape.