Chinese Hackers are Taking Advantage of the Zero-Day Vulnerability of CISCO Switches to Spread Malware.

Chinese Hackers are Taking Advantage of the Zero-Day Vulnerability

Chinese Hackers are Taking Advantage of the Zero-Day Vulnerability of CISCO Switches to Spread Malware.

There has been evidence that a cyber espionage organization with ties to China known as Velvet Ant is using a zero-day vulnerability in Cisco NX-OS Software, which is utilized in Cisco switches, to distribute malicious software.

A case of command injection is the subject of the vulnerability, which is tracked as CVE-2024-20399 and has a CVSS score of 6.0. This weakness allows an authorized, local adversary to carry out unknown commands as root on the underlying operating system of a device that is impacted by the vulnerability.

“By taking advantage of this flaw, Velvet Ant successfully launched a previously unidentified custom malware program that enabled the threat group to gain access remotely to compromised Cisco Nexus devices, upload additional files, and execute code on the devices,” security company Sygnia said in a statement that was shared with The Hacker News. “Velvet Ant made this possible by exploiting this vulnerability.”

Inadequate validation of arguments that are supplied to specified configuration CLI commands is the source of the problem, according to Cisco. This flaw might be exploited by an adversary by inserting designed information as the argument of a configuration CLI command that is affected by the issue.

Furthermore, it enables a user with Administrator access to execute commands without triggering system syslog notifications, which makes it possible to disguise the execution of shell commands on compromised appliances. This is a significant advantage.

In spite of the fact that the weakness is capable of executing code, the severity of the vulnerability is lesser than it would otherwise be. This is because in order for an attacker to successfully exploit the vulnerability, they must already possess administrator credentials and have access to particular configuration commands. The vulnerabilities introduced by CVE-2024-20399 affect the following devices:

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches, and
  • Nexus 9000 Series Switches in standalone NX-OS mode

Velvet Ant was first documented by an Israeli cybersecurity company last month in connection with a cyber attack that targeted an unidentified company located in East Asia for a period of approximately three years. The cyber attack was carried out by establishing persistence through the use of outdated F5 BIG-IP appliances in order to acquire customer and financial information in a stealthy manner.

“Network appliances, especially switches, are often not tracked, and their logs are rarely transmitted to a centralized logging system,” according to Sygnia Research. “This lack of surveillance creates major obstacles in recognizing and investigating malicious operations.”

The development comes at a time when threat actors are exploiting a critical vulnerability that affects D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8). This vulnerability is a path traversal issue that leads to information disclosure, and it is being used to collect account information for all users, including names, passwords, groups, and descriptions.

“The exploit’s variations […] enable the extraction of account details from the device,” stated Grey Noise, a company that specializes in threat intelligence. Because the product has reached its End-of-Life status, it will not be patched, which is a risk for long-term exploitation. A vulnerability that allows for the invocation of multiple XML files is present.

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Caution: A Female Professor Shocked as She Was Duped of ₹48 Lakhs in No Time

TeamViewer Identifies a Security Failure in a Business IT Infrastructure

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?