China’s ‘Velvet Ant’ hackers caught exploiting new zero-day in Cisco devices

Avatar

A newly identified zero-day vulnerability affecting a popular line of Cisco devices was used in an April attack by state-backed hackers from China. 

Cisco and cybersecurity firm Sygnia published advisories on Monday about CVE-2024-20399 — a vulnerability affecting the Cisco NX-OS software used for the Nexus-series switches that connect devices on a network. 

Sygnia incident response research manager Amnon Kushir said they discovered the vulnerability as part of a larger forensic investigation involving a threat group they call Velvet Ant. 

“The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code,” Kushir explained.

“We immediately reported this vulnerability and exploitation to Cisco and provided detailed information about the attack flow.” 

Cisco has released software updates that address the vulnerability but they noted that there are no workarounds. The company said its Product Security Incident Response Team (PSIRT) became aware of attempted exploitation in April.

The vulnerability affects multiple Cisco products running a vulnerable release of Cisco NX-OS Software. 

According to Sygnia, Cisco Nexus switches are prevalent in enterprise environments, especially within data centers, but most are not directly exposed to the internet. Network devices like switches are often not sufficiently protected, and organizations frequently fail to take other steps to protect themselves, Kushir added. 

Kushir told Recorded Future News that the Velvet Ant hackers likely breached the organization’s network first before exploiting the vulnerability — calling it “another example of Velvet Ant’s sophistication and stealthiness when infiltrating network devices.” The group’s primary objective is espionage, and it focuses on establishing long-term access to a victim’s network.

In June, Sygnia wrote about another Velvet Ant campaign where the hackers were able to maintain multiple footholds within the victim company’s environment for three years. The group used outdated F5 BIG-IP equipment to stay under the radar and obtain private data, including financial and customer information.

ChinaTechnologyNewsNation-state
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

TeamViewer: Hackers copied employee directory and encrypted passwords

Next Post

TeamViewer: Hackers copied employee directory and encrypted passwords

Related Posts

Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted
Avatar
Read More

New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the
Avatar
Read More