It has been confirmed that the Chinese cyber espionage group Velvet Ant is exploiting a zero-day vulnerability in the Cisco NX-OS software used in its switches to distribute malware.
of VulnerabilityThe vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), involves a case of command injection that could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.
“By exploiting this vulnerability, Velvet Ant successfully executed previously unknown custom malware, allowing the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files and execute code on the devices,” said cybersecurity firm Sygnia. Said In a statement shared with Hacker News.
According to Cisco, the issue is due to insufficient validation of arguments passed to certain configuration CLI commands, which an attacker could exploit by including crafted input as an argument to an affected configuration CLI command.
Additionally, users with administrative privileges can execute commands without triggering system syslog messages, making it possible to hide the execution of shell commands on a hacked appliance.
Despite the flaw having code execution capabilities, it is rated as less severe as it requires an attacker to already possess administrator credentials and have access to specific configuration commands. Devices affected by CVE-2024-20399 include:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches, and
- Nexus 9000 Series Switches in Standalone NX-OS Mode
Velvet Ants were first documented last month by an Israeli cybersecurity firm in connection to a cyber attack that targeted an unnamed organization in East Asia for about three years, using outdated F5 BIG-IP appliances to establish persistence in order to covertly steal customer and financial information.
“Network equipment, especially switches, are often not monitored, and their logs are often not forwarded to a centralized logging system,” Signia said. “Lack of monitoring makes it very difficult to identify and investigate malicious activity.”
![Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNS3KFIZ1kUzX9UAyIXkbApCqvKVe4YB7J7YxS5pyT89_UulKpYdfjxFzpEtKx1mkKxptph1SCYggLbhJDkGbKinHSktbbkeXeYBqil8kXuFRmXI-z3FdKj2qTdIYb5vdqZ-mb_NBp3AMTlAP7s4X9r14mq7rDBORzMWvL3CWY8vfZXFKBhdl3-x0BxK89/s728-e365/ad-d.jpg)
This development suggests that threat actors Critical vulnerabilities Affects D-Link DIR-859 Wi-Fi routers (CVE-2024-0769CVSS Score: 9.8) – Path traversal issue leading to information disclosure – Collects account information such as name, password, group, description, etc. of all users.
“Exploit Variations […] “It allows for the extraction of account details from the device,” said threat intelligence firm GreyNoise. Said“Because this product is no longer supported, it will not be patched, creating a long-term exploit risk. This vulnerability can be used to invoke multiple XML files.”