Chinese threat actors have been found to be abusing a zero-day vulnerability in certain Cisco switches to take over devices and install malware.
The findings come courtesy of Sygnia, which recently discovered a new malicious campaign apparently run by a Chinese state-sponsored threat actor known as Velvet Ant.
“The threat actors harvested administrator-level credentials to gain access to Cisco Nexus switches and deploy previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files, and execute malicious code,” said Amnon Kushnir, director of incident response at Sygnia. Computer beeping.
Monitoring login credentials
The vulnerability has now been fixed, so if you are using any of the models mentioned below, be sure to apply the fix immediately.
The vulnerability is known as CVE-2024-20399 and, according to Cisco, can be abused by local attackers with administrator privileges. It gives them the ability to execute arbitrary commands with root permissions on NX-OS, the operating system that powers the switches.
“This vulnerability is due to insufficient validation of arguments passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including a crafted input as an argument to an affected CLI configuration command,” Cisco said.
Here is the full list of vulnerable endpoints:
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in Standalone NX-OS Mode
In addition to being able to execute arbitrary commands with root privileges, the vulnerability also allows attackers to remain hidden while doing so, as it does not trigger system syslog messages, it was said.
To look for signs of vulnerability, Cisco recommends that network administrators monitor and update the login credentials for the network-admin and vdc-admin users. Ultimately, they can use the Cisco Software Checker page to see if any of their devices are vulnerable.
