Priya PatelTLDR: Chinese hackers known as Velvet Ant are exploiting a zero-day vulnerability in Cisco switches to deploy custom malware, allowing remote connections and execution of arbitrary commands. Cisco has released patches to address the issue.
A sophisticated China-linked cyber espionage group, Velvet Ant, has been exploiting a zero-day vulnerability in Cisco NX-OS Software to deploy custom malware on network switches. The vulnerability, identified as CVE-2024-20399, allows an authenticated attacker to execute arbitrary commands as root on affected devices. The exploitation of this flaw enabled the group to execute custom malware on compromised Cisco Nexus devices, facilitating remote connections and further code execution.
The VELVETSHELL malware, used by Velvet Ant, combines elements of TinyShell and 3proxy and provides capabilities such as executing arbitrary commands, downloading and uploading files, and creating tunnels to proxy network traffic. Velvet Ant has been operating for about three years, targeting inadequately protected network appliances to steal customer and financial information stealthily.
Cisco has released software updates to address the vulnerability and advises customers to apply these patches promptly. Organizations are also advised to implement mitigation strategies such as applying software updates, implementing robust monitoring systems for network appliances, regularly reviewing and updating administrator credentials, and adopting security best practices to prevent unauthorized access.
As cyber threats continue to evolve, organizations must remain proactive in their cybersecurity approach, ensuring that all aspects of their network infrastructure, including switches and network appliances, are adequately protected and monitored.
