Skip to content

Chinese cybercrooks exploit Cisco switches to deliver malware

  • by
  • 3 min read

A China-based threat group named Velvet Ant has been found exploiting a zero-day vulnerability dubbed CVE-2024-20399 to compromise Cisco switches worldwide. The vulnerability is a newly discovered command injection bug in Cisco’s NX-OS software CLI (command line interface), affecting a wide range of Cisco Nexus devices.

The vulnerability was first discovered by security researchers from Sygnia and promptly reported to Cisco, who disclosed the bug in a security advisory issued on June 1. The bug allows any attacker with valid administrative credentials to the Switch management console to escape the NX-OS CLI and execute arbitrary commands on the underlying Linux operating system.

Sygnia researchers found the bug to be part of a larger investigation into Velvet Ant’s cyber espionage operations. Once the vulnerability is exploited, the group uploads a “previously unknown malware” that essentially takes over the device, allowing threat actors to connect remotely to the affected devices, upload files, and execute arbitrary code.

This is an image of what is a router and how it works 112

As severe as the post-exploitation consequences are, the vulnerability itself isn’t easy to exploit, scoring only a 6.0 on the CVSS scale. An attacker would require admin-level credentials and network access to the Nexus switch to carry out an attack. Given that most Nexus switches aren’t exposed to the internet, this would mean breaching an organisation and accessing its internal network to exploit the vulnerability.

While the difficult attack vector makes the bug less likely to be exploited, Cisco has already issued software updates that address the issue. There are also no workarounds, so it’s best to update affected devices as soon as possible. Cisco reports the following devices as affected, with a detailed list available in their advisory.

  • MDS 9000 Series Multilayer Switches (CSCwj97007)
  • Nexus 3000 Series Switches (CSCwj97009)
  • Nexus 5500 Platform Switches (CSCwj97011)
  • Nexus 5600 Platform Switches (CSCwj97011)
  • Nexus 6000 Series Switches (CSCwj97011)
  • Nexus 7000 Series Switches (CSCwj94682)
  • Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)

Generally speaking, network appliances such as switches and routers aren’t particularly well-monitored and are not connected to a centralised logging system. This lack of monitoring and insight can often cause problems later down the road in identifying and investigating malicious activity. Sophisticated threat actors also tend to exploit such vulnerabilities, despite the high difficulty of attack as there’s a smaller chances of their malicious activity getting flagged or detected.

In the News: Google mandates AI disclosures in election ads

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of data breach featured cybersecurity 113 e1666861228304

Sensitive information of over 5.5 million patients stolen from Yale Health

This is an image of data breach cyber security 239847238978

Lazarus threat actors breach six South Korean companies

This is an image of cyber security hacked breach

“Educational” toolkit for evading Microsoft Office 365 MFA being sold online

This is an image of dark web hacker security

Cybercriminals are using the Pope’s death to preach malware

This is an image of phishing featured storyblocks

North Korean IT workers are using deepfakes to get jobs

This is an image of cisco 3289sd

Cisco confirms several products affected by RCE flaw

>