North Korean Hackers Exploited Chrome Zero-Day to Deploy Rootkit and Steal Crypto
Published on September 2, 2024
Published on September 2, 2024
China-Nexus Cyber Spies Velvet Ant Exploit Cisco Zero-Day to Execute Malicious Code
Published on July 2, 2024
- A China-backed cyber espionage group tracked as Velvet Ant abused a command injection flaw in the Cisco NX-OS Software.
- The threat actor successfully executed malicious code on the Nexus switch’s Linux OS.
- They deployed a previously unknown custom malware that permitted remote access to compromised Cisco Nexus devices.
A China-nexus cyber-espionage group has been observed exploiting a zero-day vulnerability in Cisco NX-OS Software to deliver malware, a Sygnia report says, attributing the exploit to the Velvet Ant threat actor. The newly discovered CVE-2024-20399 command injection flaw affects a wide range of Cisco Nexus switches, for which this operating system is specifically used.
NX-OS is based on a Linux kernel but provides its own set of commands using the NX-OS CLI. An attacker would need a “jailbreak” type of vulnerability to escape the NX-OS CLI context and execute commands on the Linux OS from the Switch management console, and CVE-2024-20399 permits arbitrary code execution leveraging valid administrator credentials.
The cybercriminal group exploited this vulnerability as a ‘zero-day’ and executed commands on the Cisco Nexus devices’ operating system to deploy previously unknown custom malware, which permitted remote access to the compromised devices, uploading additional files, and remote code executions.
This medium-severity vulnerability impacts MDS 9000 Series Multilayer, Nexus 3000 Series, Nexus 5500 Platform, Nexus 5600 Platform, Nexus 6000 Series, Nexus 7000 Series, and Nexus 9000 Series switches in standalone NX-OS mode.
Velvet Ant was seen compromising Internet-exposed legacy F5 BIG-IP appliances to maintain access to the target network of an unnamed organization located in East Asia for about three years. The threat actor achieved remarkable persistence within the environment of one victim company and hijacked execution flow via DLL search order hijacking, Phantom DLL loading, and DLL sideloading for espionage.