A China-nexus cyber espionage group named Velvet Ant has been noticed exploiting a zero-day flaw in Cisco NX-OS Software program utilized in its switches to ship malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS rating: 6.0), issues a case of command injection that permits an authenticated, native attacker to execute arbitrary instructions as root on the underlying working system of an affected system.
“By exploiting this vulnerability, Velvet Ant efficiently executed a beforehand unknown customized malware that allowed the risk group to remotely hook up with compromised Cisco Nexus units, add further information, and execute code on the units,” cybersecurity agency Sygnia stated in an announcement shared with The Hacker Information.
Cisco stated the difficulty stems from inadequate validation of arguments which might be handed to particular configuration CLI instructions, which may very well be exploited by an adversary by together with crafted enter because the argument of an affected configuration CLI command.
What’s extra, it allows a person with administrator privileges to execute instructions with out triggering system syslog messages, thereby making it potential to hide the execution of shell instructions on hacked home equipment.
Regardless of the code execution capabilities of the flaw, the decrease severity is because of the truth that profitable exploitation requires an attacker to be already in possession of administrator credentials and have entry to particular configuration instructions. The next units are impacted by CVE-2024-20399 –
- MDS 9000 Collection Multilayer Switches
- Nexus 3000 Collection Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Collection Switches
- Nexus 7000 Collection Switches, and
- Nexus 9000 Collection Switches in standalone NX-OS mode
Sygnia stated it found in-the-wild exploitation of CVE-2024-20399 throughout a broader forensic investigation that occurred through the previous 12 months. Cisco, nevertheless, famous that it grew to become conscious of tried exploitation of the vulnerability in April 2024.
Velvet Ant was first documented by the Israeli cybersecurity agency final month in reference to a cyber assault concentrating on an unnamed group positioned in East Asia for a interval of about three years by establishing persistence utilizing outdated F5 BIG-IP home equipment with a view to stealthily steal buyer and monetary data.
“Community home equipment, notably switches, are sometimes not monitored, and their logs are ceaselessly not forwarded to a centralized logging system,” Sygnia stated. “This lack of monitoring creates vital challenges in figuring out and investigating malicious actions.”
The event comes as risk actors are exploiting a crucial vulnerability affecting D-Hyperlink DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS rating: 9.8) – a path traversal subject resulting in data disclosure – to collect account data corresponding to names, passwords, teams, and descriptions for all customers.
“The exploit’s variations […] allow the extraction of account particulars from the system,” risk intelligence agency GreyNoise stated. “The product is Finish-of-Life, so it will not be patched, posing long-term exploitation dangers. A number of XML information could be invoked utilizing the vulnerability.”
