Cisco warns of NX-OS zero-day exploited to deploy custom malware

Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches. Cybersecurity firm Sygnia, who reported the incidents to Cisco, linked the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant. “Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant,” Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer. “The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code.” Cisco says the vulnerability (tracked as CVE-2024-20399) can be exploited by local attackers with Administrator privileges to execute arbitrary commands with root permissions on vulnerable devices’ underlying operating systems. “This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command,” Cisco explains. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.” The list of impacted devices includes multiple switches running vulnerable NX-OS software:

• MDS 9000 Series Multilayer Switches
• Nexus 3000 Series Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Switches in standalone NX-OS mode

The security flaw also enables attackers to execute commands without triggering system syslog messages, thus allowing them to conceal signs of compromise on hacked NX-OS devices. Cisco advises customers to monitor and change the credentials of network-admin and vdc-admin administrative users regularly. Admins can use the Cisco Software Checker page to determine whether devices on their network are exposed to attacks targeting the CVE-2024-20399 vulnerability. In April, Cisco also warned that a state-backed hacking group (tracked as UAT4356 and STORM-1849) had been exploiting multiple zero-day bugs (CVE-2024-20353 and CVE-2024-20359) in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 in a campaign dubbed ArcaneDoor targeting government networks worldwide. At the time, the company added that it also found evidence the hackers had tested and developed exploits to target the zero-day flaws since at least July 2023. They exploited the vulnerabilities to install previously unknown malware that allowed them to maintain persistence on compromised ASA and FTD devices. However, Cisco said that it had yet to identify the initial attack vector used by the attackers to breach the victims’ networks. Last month, Sygnia said Velvet Ant targeted F5 BIG-IP appliances with custom malware in a cyberespionage campaign. In this campaign, they used persistent access to their victims’ networks to stealthily steal sensitive customer and financial information for three years while avoiding detection.