Alleged Chinese hackers, known as “Velvet Ant,” are exploiting a zero-day flaw, or CVE-2024-20399, within Cisco’s NX-OS software. This potential security breach has been identified by cybersecurity company, Sygnia, with the vulnerability allowing the attacker to gain unauthorized remote access.
By sending specially crafted HTTP requests, these cybercriminals can execute arbitrary code as a root user, potentially leading to high-level security breaches. Cisco has recognized the issue and is currently working on a swift resolution.
The flaw allows an authorized local user to execute unrestricted actions with root user privileges on the targeted device’s operating system. Actions may include data manipulation, unwanted software installation, or changes to system settings, posing a significant security risk.
The defect can be traced back to Cisco Networks due to insufficient verification of arguments provided to certain Command-Line Interface (CLI) commands. Attackers can exploit this by providing tampered inputs to an affected CLI command, allowing them illegal access to sensitive user data.
This bug affects devices from MDS 9000 Series Multilayer Switches to Nexus 9000 Series Switches.
Chinese cybercriminals capitalize on Cisco flaw
The threat requires certain prerequisites, significantly reducing the immediate concern despite the high risks. An attacker, for example, would first need administrative credentials and access to execute critical configuration commands on the impacted devices.
Velvet Ant was uncovered by an Israeli cybersecurity firm during an investigation of a relentless cyber attack on an unnamed East Asian organization that was still using outdated F5 BIG-IP appliances. This vulnerability gave Velvet Ant a golden opportunity to discreetly gather highly sensitive client and financial data.
Network devices like switches are typically under-monitored, making it harder to spot and analyze malicious activities according to Sygnia. The news coincides with reports of multiple threat actors exploiting a vulnerability in D-Link DIR-859 Wi-Fi routers, creating persistent exploitation risks. The threat intelligence company, GreyNoise highlighted these developments, emphasizing the increasing necessity for robust security measures and vigilant monitoring of network devices.
