Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

In the ever-evolving landscape of cybersecurity, the discovery of new vulnerabilities poses a constant threat to organisations worldwide. Recently, a China-nexus cyber espionage group named Velvet Ant has come into the spotlight for exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware. This sophisticated attack underscores the importance of robust security measures and vigilant monitoring of network appliances.

The Vulnerability: CVE-2024-20399

The vulnerability in question, tracked as CVE-2024-20399, has been assigned a CVSS score of 6.0. It is a command injection flaw that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. Despite its moderate severity rating, the potential impact is significant due to the control it grants over compromised devices.

Cisco has identified that the issue arises from insufficient validation of arguments passed to specific configuration CLI commands. This flaw can be exploited by an adversary using crafted input, allowing them to execute commands without triggering system syslog messages. This ability to conceal command execution adds a layer of stealth to the attack, complicating detection and response efforts.

Devices Impacted

The following Cisco devices are impacted by CVE-2024-20399:

• MDS 9000 Series Multilayer Switches
• Nexus 3000 Series Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Switches in standalone NX-OS mode

Exploitation by Velvet Ant

Velvet Ant has leveraged this vulnerability to execute custom malware, allowing them to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code. The cybersecurity firm Sygnia, which uncovered this activity, highlighted that Velvet Ant has been targeting organizations in East Asia for about three years. They have established persistence using outdated F5 BIG-IP appliances to stealthily steal customer and financial information.

The Broader Implications

This incident is a stark reminder of the risks associated with unmonitored network appliances. As Sygnia pointed out, network switches and similar devices often lack adequate monitoring, and their logs are rarely forwarded to centralised logging systems. This oversight creates significant challenges in identifying and investigating malicious activities.

Adding to the concern, threat actors are also exploiting a critical vulnerability in D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8). This path traversal issue leads to information disclosure, enabling attackers to gather account information. Since the product is End-of-Life, it won't be patched, posing long-term exploitation risks.

Recommendations for Cybersecurity Professionals

For cybersecurity professionals, these developments highlight several key actions:

1. Regularly Update and Patch Devices: Ensure all network appliances, including switches and routers, are regularly updated with the latest security patches.
2. Implement Robust Monitoring: Deploy centralized logging and monitoring solutions to detect unusual activities on network appliances.
3. Conduct Regular Security Audits: Periodically audit network configurations and access controls to identify and mitigate potential vulnerabilities.
4. Enhance Access Controls: Limit administrative access to network devices and enforce strong authentication mechanisms to reduce the risk of credential compromise.