Chinese hackers have been discovered exploiting a zero-day vulnerability in specific Cisco switches to control the devices and install malware. The discovery was made by Sygnia, who uncovered a new malicious campaign carried out by a Chinese state-sponsored threat actor known as Velvet Ant.
According to Amnon Kushnir, Director of Incident Response at Sygnia, the threat actors obtained administrator-level credentials to access Cisco Nexus switches and deploy a custom malware that allowed them to connect remotely to compromised devices, upload additional files, and execute malicious code. The vulnerability, tracked as CVE-2024-20399, has been patched by Cisco, so users of the affected models should apply the fix immediately.
The vulnerability can be exploited by local attackers with admin privileges, allowing them to run arbitrary commands with root permissions on NX-OS, the operating system powering the switches. Cisco explained that the vulnerability is due to insufficient validation of arguments passed to specific configuration CLI commands.
The following endpoints are vulnerable to this exploit:
– MDS 9000 Series Multilayer Switches
– Nexus 3000 Series Switches
– Nexus 5500 Platform Switches
– Nexus 5600 Platform Switches
– Nexus 6000 Series Switches
– Nexus 7000 Series Switches
– Nexus 9000 Series Switches in standalone NX-OS mode
In addition to running arbitrary commands with root privileges, the vulnerability allows attackers to remain undetected as it does not trigger system syslog messages. Cisco advises network administrators to monitor and update the login credentials of network-admin and vdc-admin users to detect signs of compromise. They can also use the Cisco Software Checker page to check if any of their devices are vulnerable.
It is important for organizations to stay updated on cybersecurity threats and vulnerabilities to protect their networks and data. Implementing strong security measures, regularly updating software, and monitoring network activity can help prevent cyber attacks and data breaches.
Sead, a freelance journalist based in Sarajevo, Bosnia and Herzegovina, specializes in IT, cybersecurity, and data breaches. With over a decade of experience in journalism, he has contributed to various media outlets and conducted content writing modules for communication agencies. Stay informed about the latest cybersecurity news and best practices to safeguard your business and personal information.
