Cisco warns of NX-OS zero-day exploited to deploy customized malware



Cisco has patched an NX-OS zero-day exploited in April assaults to put in beforehand unknown malware as root on weak switches.

Cybersecurity agency Sygnia, who reported the incidents to Cisco, linked the assaults to a Chinese language state-sponsored menace actor it tracks as Velvet Ant.

“Sygnia detected this exploitation throughout a bigger forensic investigation into the China-nexus cyberespionage group we’re monitoring as Velvet Ant,” Amnon Kushnir, Director of Incident Response at Sygnia, instructed BleepingComputer.

“The menace actors gathered administrator-level credentials to realize entry to Cisco Nexus switches and deploy a beforehand unknown customized malware that allowed them to remotely hook up with compromised gadgets, add extra information and execute malicious code.”

Cisco says the vulnerability (tracked as CVE-2024-20399) could be exploited by native attackers with Administrator privileges to execute arbitrary instructions with root permissions on weak gadgets’ underlying working techniques.

“This vulnerability is because of inadequate validation of arguments which can be handed to particular configuration CLI instructions. An attacker might exploit this vulnerability by together with crafted enter because the argument of an affected configuration CLI command,” Cisco explains.

“A profitable exploit might enable the attacker to execute arbitrary instructions on the underlying working system with the privileges of root.”

The listing of impacted gadgets consists of a number of switches working weak NX-OS software program:

  • MDS 9000 Collection Multilayer Switches
  • Nexus 3000 Collection Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Collection Switches
  • Nexus 7000 Collection Switches
  • Nexus 9000 Collection Switches in standalone NX-OS mode

The safety flaw additionally allows attackers to execute instructions with out triggering system syslog messages, thus permitting them to hide indicators of compromise on hacked NX-OS gadgets.

Cisco advises prospects to watch and alter the credentials of network-admin and vdc-admin administrative customers repeatedly.

Admins can use the Cisco Software program Checker web page to find out whether or not gadgets on their community are uncovered to assaults focusing on the CVE-2024-20399 vulnerability.

In April, Cisco additionally warned {that a} state-backed hacking group (tracked as UAT4356 and STORM-1849) had been exploiting a number of zero-day bugs (CVE-2024-20353 and CVE-2024-20359) in Adaptive Safety Equipment (ASA) and Firepower Menace Protection (FTD) firewalls since November 2023 in a marketing campaign dubbed ArcaneDoor focusing on authorities networks worldwide.

On the time, the corporate added that it additionally discovered proof the hackers had examined and developed exploits to focus on the zero-day flaws since at the very least July 2023.

They exploited the vulnerabilities to set up beforehand unknown malware that allowed them to keep up persistence on compromised ASA and FTD gadgets. Nonetheless, Cisco stated that it had but to determine the preliminary assault vector utilized by the attackers to breach the victims’ networks.

Final month, Sygnia stated Velvet Ant focused F5 BIG-IP home equipment with customized malware in a cyberespionage marketing campaign. On this marketing campaign, they used persistent entry to their victims’ networks to stealthily steal delicate buyer and monetary info for 3 years whereas avoiding detection.