There has been information on the usage of a zero-day security flaw in Cisco switches, which was recently uncovered and patched by a Chinese threat group to take control of the devices and evade detection.
Information has surfaced on the use of a zero-day security vulnerability in Cisco switches that was recently discovered and fixed by a threat group with ties to China as a means of taking over the devices and avoiding discovery. The activity, which was identified as coming from Velvet Ant, was seen at the beginning of the year. It involved weaponizing CVE-2024-20399 (CVSS score: 6.0) in order to spread custom malware and take over the attacked system, which allowed for permanent access and data exfiltration.
“The zero-day exploit allows an attacker with valid administrator credentials to access the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system,” Sygnia, a cybersecurity firm, said.
Researchers at the Israeli cybersecurity company first became aware of Velvet Ant as part of a multi-year campaign that used legacy F5 BIG-IP appliances as a vantage point to establish persistence in the compromised environment, targeting an unidentified East Asian organization. Early last month, the threat actor’s cunning use of CVE-2024-20399 was discovered, which prompted Cisco to reveal the vulnerability through security patches.
The group’s level of complexity and shape-shifting techniques are noteworthy; in an effort to avoid detection, they first infiltrated fresh Windows systems before switching to legacy Windows servers and network devices. “The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign,” Sygnia stated. The most recent attack chain involves utilizing CVE-2024-20399 to break into a Cisco switch appliance and perform reconnaissance. It then pivots to other network devices and uses a malicious script to execute backdoor code.
The payload, known as VELVETSHELL, combines two open-source tools: 3proxy, an application that acts as a proxy, and Tiny SHell, a Unix backdoor. It also provides the ability to download and upload files, run arbitrary commands, and create tunnels to proxy network traffic. “The modus operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and applications that organizations onboard,” the business stated. “Due to the ‘black box’ nature of many appliances, each piece of hardware or software has the potential to turn into an attack surface that an adversary is able to exploit.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.