Particulars have emerged a few China-nexus menace group’s exploitation of a just lately disclosed, now-patched safety flaw in Cisco switches as a zero-day to grab management of the equipment and evade detection.
The exercise, attributed to Velvet Ant, was noticed early this 12 months and concerned the weaponization of CVE-2024-20399 (CVSS rating: 6.0) to ship bespoke malware and acquire in depth management over the compromised system, facilitating each information exfiltration and protracted entry.
“The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system,” cybersecurity firm Sygnia stated in a report shared with The Hacker Information.
Velvet Ant first caught the eye of researchers on the Israeli cybersecurity firm in reference to a multi-year marketing campaign that focused an unnamed group situated in East Asia by leveraging legacy F5 BIG-IP home equipment as a vantage level for organising persistence on the compromised atmosphere.
The menace actor’s stealthy exploitation of CVE-2024-20399 got here to gentle early final month, prompting Cisco to concern safety updates to launch the flaw.
Notable among the many tradecraft is the extent of sophistication and shape-shifting ways adopted by the group, initially infiltrating new Home windows techniques earlier than transferring to legacy Home windows servers and community gadgets in an try and fly underneath the radar.
“The transition to operating from internal network devices marks yet another escalation in the evasion techniques used in order to ensure the continuation of the espionage campaign,” Sygnia stated.
The newest assault chain entails breaking right into a Cisco change equipment utilizing CVE-2024-20399 and conducting reconnaissance actions, subsequently pivoting to extra community gadgets and in the end executing a backdoor binary by the use of a malicious script.
The payload, dubbed VELVETSHELL, is an amalgamation of two open-source instruments, a Unix backdoor named Tiny SHell and a proxy utility known as 3proxy. It additionally helps capabilities to execute arbitrary instructions, obtain/add information, and set up tunnels for proxying community site visitors.
“The modus-operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and applications that organizations onboard,” the corporate stated. “Due to the ‘black box’ nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit.”
