Cybersecurity researchers have identified a Chinese cyber espionage campaign exploiting a newly discovered command injection vulnerability in Cisco’s NX-OS software.
The cybersecurity firm Sygnia uncovered the vulnerability during a forensic investigation of a threat group they named Velvet Ant. This vulnerability, now known as CVE-2024-20399 following Sygnia’s alert to Cisco, affects the command line interface of Cisco NX-OS and impacts various Nexus series switches and Cisco’s MDS 9000 Series multilayer switches.
Cisco’s advisory states, “The vulnerability is due to insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this vulnerability by providing crafted input as the argument of an affected configuration CLI command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.” However, for this exploit to be effective, the attacker must have administrator credentials. Cisco has released software updates to address the vulnerability, with no other workarounds available.
Sygnia did not specify when they observed the Chinese espionage activity but noted that the attackers successfully executed commands on vulnerable hardware before deploying a “previously unknown custom malware” that enabled remote connections to compromised devices. This led to the uploading of additional files and further code execution. The exploit requires administrator-level credentials and network access to a vulnerable Nexus switch.
“Despite the substantial prerequisites for exploiting the discussed vulnerability, this incident demonstrates the tendency of sophisticated threat groups to leverage network appliances – which are often not sufficiently protected and monitored – to maintain persistent network access,” Sygnia’s researchers stated in a blog post. “The incident also underscores the critical importance of adhering to security best practices as a mitigation against this type of threat.”
The affected devices include:
- MDS 9000 Series Multilayer Switches (CSCwj97007)
- Nexus 3000 Series Switches (CSCwj97009)
- Nexus 5500 Platform Switches (CSCwj97011)
- Nexus 5600 Platform Switches (CSCwj97011)
- Nexus 6000 Series Switches (CSCwj97011)
- Nexus 7000 Series Switches (CSCwj94682)
- Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)
Previously, Sygnia had observed Velvet Ant targeting a “large organization” in late 2023, exploiting “a legacy F5 BIG-IP appliance” to establish an internal C&C node. Sygnia considers Velvet Ant to be a “sophisticated threat actor” with robust capabilities and a methodical approach to targeting its victims.