What is the vulnerability exploited by the Velvet Ant group?

The vulnerability exploited by the Chinese cyber espionage group known as Velvet Ant is tracked as CVE-2024-20399. It is a command injection flaw in Cisco's NX-OS with a CVSS score of 6.7. The vulnerability allows attackers with administrator credentials to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system.

How is the Velvet Ant group exploiting CVE-2024-20399?

Velvet Ant is exploiting CVE-2024-20399 to install custom malware called 'VelvetShell,' which is a hybrid version of the TinyShell Unix backdoor and 3proxy proxy tool. The malware operates stealthily on the underlying operating system of Cisco Nexus-series switch appliances, evading common security detection mechanisms and enabling long-term persistence.

What is the impact of CVE-2024-20399?

The vulnerability gives attackers with administrator credentials full control over Cisco Nexus-series switches, allowing them to execute arbitrary commands, install persistent malware, and potentially pivot to other network devices.

When did Cisco release a patch for CVE-2024-20399?

Cisco released a patch for CVE-2024-20399 on July 1, 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) later added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

What should organizations do to protect against this vulnerability?

Organizations using Cisco Nexus-series switches should immediately apply the patch released by Cisco to mitigate CVE-2024-20399. Additionally, they should monitor network activity for signs of compromise and review security controls to detect and block potential exploitation.

Attack

Chinese cyber espionage group uses Cisco zero-day flaw to deploy malware

published: Aug. 26, 2024

Take action: Intially the patch was an advisory and a long shot of exploit. Now it's serious, because real life exploits are detected. Time to patch.

Learn More

A Chinese cyber espionage group known as Velvet Ant has been observed exploiting a critical zero-day vulnerability in Cisco's NX-OS to deploy custom malware.

The vulnerability, tracked as CVE-2024-20399 (CVSS score 6.7), is a command injection flaw that allows attackers with administrator credentials to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system. The vulnerability is considered severe due to its potential to give attackers full control over Cisco Nexus-series switch appliances.

Velvet Ant leveraged the vulnerability to install a custom malware dubbed "VelvetShell," which is a hybrid version of two open-source tools: TinyShell, a Unix backdoor, and 3proxy, a proxy tool. This malware runs stealthily on the underlying operating system and is invisible to common security detection mechanisms, enabling long-term persistence and allowing Velvet Ant to pivot to other network devices.

Cisco released a patch for CVE-2024-20399 on July 1, 2024. Shortly after, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Chinese cyber espionage group uses Cisco zero-day flaw to deploy malware

Read More
Critical SmarterMail Authentication Bypass Under Active Exploitation
Palo Alto Networks reports actively exploited DoS flaw …
Akira ransomware gang is exploiting old Cisco ASA/FTD …
CISA warns of active attacks legacy PowerPoint flaw
CISA warns of active exploits of old Oracle …