Cybersecurity researchers at Sygnia determined that a China-linked Advanced Persistent Threat (APT) group tracked as Velvet Ant had been successful in exploiting a newly disclosed zero-day vulnerability for compromising Cisco switches and taking over network appliances.
The Zero-Day Vulnerability: CVE-2024-20399
In July 2024, Cisco fixed a critical security weakness in its NX-OS software, known as CVE-2024-20399. The vulnerability—which had a CVSS score of 6.0—allowed authenticated attackers to run arbitrary commands as root on the underlying operating system of vulnerable devices.
The weakness is due to a lack of proper validation of arguments passed to certain configuration CLI commands. Attacking this vulnerability would require administrator credentials, emphasizing the need for good credential management practices.
Velvet Ant’s Sophisticated Attack Strategy
In April 2024, Sygnia researchers reported the exploitation of CVE-2024-20399 by Velvet Ant as a zero-day vulnerability. Using legitimate admin credentials, the APT group was able to break out of the NX-OS command line interface (CLI) and run any command he or she chose on the underlying Linux operating system.
After the initial exploit, Velvet Ant used a custom malware that Sygnia named “VELVETSHELL.” Overall, this malware works at the underlying OS level and is invisible to conventional security tools, which illustrates the players’ advanced capabilities.
VELVETSHELL: A Hybrid Malware Threat
Sygnia was able to reconstruct the VELVETSHELL malware from the memory dumps of the devices, even though the threat actor tried to delete the malware files. It is a sophisticated hybrid of two open-source tools, TinyShell and 3proxy.
VELVETSHELL can:
- Run any commands
- Download and upload files
- Bind network traffic tunnels
All these features enable Velvet Ant to keep a persistent backdoor on targeted devices for data exfiltration and espionage purposes.
Impacted Cisco Devices
The vulnerability affects several Cisco device families, including:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
Mitigation and Response
Cisco advises customers to keep an eye on credentials being used by administrator users, especially network-admin and vdc-admin accounts. The company has also supplied the Cisco Software Checker tool to assist customers in assessing whether their hardware is affected by this flaw.
In light of the seriousness of the threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-20399 to its Known Exploited Vulnerabilities (KEV) catalog.
