In early 2024, the Chinese hacking group Velvet Ant exploited a recently patched Zero-day vulnerability in Cisco switches to gain control and evade detection.
The vulnerability, identified as CVE-2024-20399 with a CVSS score of 6.7, allowed attackers to deploy malicious software and gain extensive control over the compromised system, enabling data theft and persistent access.
Using the exploit mentioned in a blog post by Sygnia, Velvet Ant executed arbitrary commands on Linux systems operating under the NX-OS shell. This required access to the console of the switch’s control, typically held by the administrator, to carry out cyber attacks.
Sygnia experts first noticed the activities of the Velvet Ant group during a targeted campaign against an organization in East Asia, where the hackers leveraged outdated F5 Big-IP devices to maintain access to the compromised network.
The discovery of the covert exploitation of CVE-2024-20399 occurred in early July, leading Cisco to release security updates swiftly to address the issue. Velvet Ant demonstrated advanced technical skills and a propensity to adapt their tactics, expanding their infections to include Windows systems and outdated servers and network devices to evade detection.
According to Sygnia researchers, Velvet Ant’s shift towards targeting internal network devices represents a new evasion tactic. Their latest attack chain involved exploiting the Cisco switch vulnerability, reconnaissance operations, and deploying a malicious script to initiate a backdoor access.
The Velvetshell malware utilized by Velvet Ant combines two open-source tools, UNIX Backdora and 3proxy, at the OS level. This malicious software allows for executing commands, file manipulation, and creating network traffic tunnels.
The actions of Velvet Ant underscore the significant risks associated with incorporating third-party equipment and applications into corporate networks. Such devices often operate as “black boxes,” making them attractive target vectors for cyber attackers.