Cisco has identified a zero-day vulnerability in its NX-OS software, which has been exploited by attackers to install previously unknown malicious software with ROOT privileges on vulnerable Cisco Nexus switches.
Sygnia IB, a cybersecurity company, was the first to report the zero-day vulnerability in Cisco’s software and linked the attacks to Chinese government hackers known as Velvet Ant. The primary objective of the group is espionage, focusing on gaining long-term access to victim networks.
According to data from Sygnia, the attackers acquired administrator accounts to access Cisco Nexus switches and deploy the malicious software, allowing them to remotely connect to compromised devices, upload additional files, and execute malicious code. It is believed that Velvet Ant hackers initially infiltrated the organization’s network before exploiting the vulnerability.
The vulnerability (CVE-20399) is rated 6.0 on the Common Vulnerability Scoring System (CVSS) due to insufficient validation of arguments passed by specific CLI commands during configuration. Exploiting this vulnerability enables an attacker to execute arbitrary commands in the underlying operating system with ROOT privileges.
Attackers can manipulate the operating system without triggering system log messages, thereby concealing any signs of compromise on NX-OS devices.
The affected devices include various models of Nexus switches running vulnerable NX-OS software, such as MDS 9000 Series, Nexus 3000 Series, Nexus 5500 Platform, Nexus 5600 Platform, Nexus 6000 Series, Nexus 7000 Series, and Nexus 9000 Series in standalone NX-OS mode.
Cisco advises customers to regularly monitor and update network administrator and VDC Admin credentials. Administrators can utilize the Cisco Software Checker tool to determine if their devices are susceptible to attacks exploiting this vulnerability.
Velvet Ant first emerged in a cyberattack documented by Sygnia in May, targeting an unidentified organization in East Asia over a three-year period. The threat actors utilized compromised F5 Big-IP devices to covertly steal client and financial data.