Cyber threat researchers recently uncovered a Chinese cyber espionage campaign targeting a newly discovered command injection vulnerability in Cisco’s Cisco NX-OS software. They found the vulnerability and its exploitation as part of an ongoing forensic investigation of a Velvet Ant threat group. The vulnerability tracked as CVE-2024-20399 concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.[1]
By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices. Cisco spokesman said the issue stems from insufficient validation of arguments passed to specific configuration CLI commands, which an adversary could exploit by including crafted input as the argument of an affected configuration CLI command.
It enables a user with administrator privileges to execute commands without triggering system syslog messages, thereby making it possible to conceal the execution of shell commands on hacked appliances.
Despite the flaw's code execution capabilities, its lower severity is due to the requirement that successful exploitation requires an attacker to already possess administrator credentials and have access to specific configuration commands.
CVE-2024-20399 impacts the following devices:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches, and
- Nexus 9000 Series Switches in standalone NX-OS mode
The Israeli cyber security firm first documented Velvet Ant in connection with a cyber-attack targeting an unnamed organization located in East Asia for about three years by establishing persistence using outdated F5 BIG-IP appliances to stealthily steal customer and financial information. Despite difficulties in exploiting flaws like CVE-2024-20399, sophisticated threat actors, such as Velvet Ant, tend to target insufficiently protected network appliances for persistent access to enterprise environments.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.cybersecurityintelligence.com/blog/chinese-hackers-exploit-cisco-to-deliver-malware-7768.html
Comments