Chinese hackers, identified as the threat group “Velvet Ant,” have been actively exploiting a newly discovered command injection vulnerability in Cisco's NX-OS Software, according to recent reports from Cisco and cybersecurity firm Sygnia.
The vulnerability, tracked as CVE-2024-20399, affects a range of Cisco Nexus switches and allows attackers with administrative access to execute arbitrary commands on the underlying operating system.
Discovery and exploitation details
Sygnia discovered the vulnerability during a forensic investigation into a broader cyber espionage operation, which was attributed to Velvet Ant, a group with ties to China. Sygnia's team identified that Velvet Ant exploited this zero-day vulnerability to execute malicious code on compromised Cisco Nexus switches. The findings were shared with Cisco, which subsequently released a security advisory on July 1, 2024.
The CVE-2024-20399 vulnerability stems from insufficient validation of arguments passed to certain CLI commands in the Cisco NX-OS Software. An attacker with administrator credentials can exploit this flaw by crafting specific inputs that allow them to run commands as the root user on the underlying Linux operating system of the affected devices. This capability can be leveraged to install malware, upload additional files, and establish persistent remote access to the compromised switches.
Impact and mitigation
Cisco's advisory lists several affected product lines, including:
- MDS 9000 Series Multilayer Switches
- Nexus 3000, 5500, 5600, 6000, 7000, and 9000 Series Switches
Cisco has confirmed that NX-OS Software releases 9.3(5) and later are not affected for most Nexus 3000 and 9000 platforms, while releases 8.1(0) and later are not affected for Nexus 7000 switches. Despite the required administrative access and network presence, the vulnerability poses a significant risk due to the critical role of Nexus switches in enterprise data centers.
Given the critical nature of the devices and the sophistication of the threat actor, Cisco has released software updates to address this vulnerability. Organizations are advised to apply these patches immediately to prevent potential exploitation. In the absence of available patches, adhering to the following best practices can mitigate the risk:
- Use Privileged Access Management (PAM) solutions and enforce multi-factor authentication (MFA) to limit access to network devices.
- Implement centralized authentication, authorization, and accounting (AAA) systems like TACACS+ and Cisco ISE.
- Utilize complex passwords, preferably managed by a Privileged Identity Management (PIM) solution.
- Restrict switches from initiating outbound connections to reduce the risk of external exploitation.
- Continuously monitor for vulnerabilities and apply patches promptly.
Enhancing visibility into network devices is crucial for early detection of exploitation attempts. Organizations should Enable Syslog on all switches and integrate logs with a Security Information and Event Management (SIEM) system, and configure alerts for suspicious activities, such as unauthorized SSH connections. Additionally, it is advisable to conduct regular threat hunts and analyze network traffic for anomalies associated with management ports like SSH and Telnet.
LockBit Ransomware Stole Customer Data From Evolve Bank & Trust
Leave a Reply