China’s ‘Velvet Ant’ hackers caught exploiting new zero-day in Cisco devices


A newly identified zero-day vulnerability affecting a popular line of Cisco devices was used in an April attack by state-backed hackers from China. 

Cisco and cybersecurity firm Sygnia published advisories on Monday about CVE-2024-20399 — a vulnerability affecting the Cisco NX-OS software used for the Nexus-series switches that connect devices on a network. 

Sygnia incident response research manager Amnon Kushir said they discovered the vulnerability as part of a larger forensic investigation involving a threat group they call Velvet Ant. 

“The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code,” Kushir explained.

“We immediately reported this vulnerability and exploitation to Cisco and provided detailed information about the attack flow.” 

Cisco has released software updates that address the vulnerability but they noted that there are no workarounds. The company said its Product Security Incident Response Team (PSIRT) became aware of attempted exploitation in April.

The vulnerability affects multiple Cisco products running a vulnerable release of Cisco NX-OS Software. 

According to Sygnia, Cisco Nexus switches are prevalent in enterprise environments, especially within data centers, but most are not directly exposed to the internet. Network devices like switches are often not sufficiently protected, and organizations frequently fail to take other steps to protect themselves, Kushir added. 

Kushir told Recorded Future News that the Velvet Ant hackers likely breached the organization’s network first before exploiting the vulnerability — calling it “another example of Velvet Ant’s sophistication and stealthiness when infiltrating network devices.” The group’s primary objective is espionage, and it focuses on establishing long-term access to a victim’s network.

In June, Sygnia wrote about another Velvet Ant campaign where the hackers were able to maintain multiple footholds within the victim company’s environment for three years. The group used outdated F5 BIG-IP equipment to stay under the radar and obtain private data, including financial and customer information.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

TeamViewer: Hackers copied employee directory and encrypted passwords

Next Post

TeamViewer: Hackers copied employee directory and encrypted passwords

Related Posts

Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny

Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the
Read More

Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that's designed to drop a remote access trojan (RAT) on compromised systems. The package in question is glup-debugger-log, which targets users of the gulp toolkit by masquerading as a "logger for gulp and gulp plugins." It has been downloaded 175 times to date. Software supply chain security
Read More