A China-nexus cyber espionage group named Velvet Ant has been noticed exploiting a zero-day flaw in Cisco NX-OS Software program utilized in its switches to ship malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS rating: 6.0), issues a case of command injection that permits an authenticated, native attacker to execute arbitrary instructions as root on the underlying working system of an affected machine.
“By exploiting this vulnerability, Velvet Ant efficiently executed a beforehand unknown customized malware that allowed the menace group to remotely connect with compromised Cisco Nexus gadgets, add further information, and execute code on the gadgets,” cybersecurity agency Sygnia stated in an announcement shared with The Hacker Information.
Cisco stated the difficulty stems from inadequate validation of arguments which are handed to particular configuration CLI instructions, which may very well be exploited by an adversary by together with crafted enter because the argument of an affected configuration CLI command.
What’s extra, it permits a consumer with Administrator privileges to execute instructions with out triggering system syslog messages, thereby making it attainable to hide the execution of shell instructions on hacked home equipment.
Regardless of the code execution capabilities of the flaw, the decrease severity is because of the truth that profitable exploitation requires an attacker to be already in possession of administrator credentials and have entry to particular configuration instructions. The next gadgets are impacted by CVE-2024-20399 –
- MDS 9000 Collection Multilayer Switches
- Nexus 3000 Collection Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Collection Switches
- Nexus 7000 Collection Switches, and
- Nexus 9000 Collection Switches in standalone NX-OS mode
Velvet Ant was first documented by the Israeli cybersecurity agency final month in reference to a cyber assault focusing on an unnamed group positioned in East Asia for a interval of about three years by establishing persistence utilizing outdated F5 BIG-IP home equipment with a view to stealthily steal buyer and monetary data.
“Community home equipment, significantly switches, are sometimes not monitored, and their logs are ceaselessly not forwarded to a centralized logging system,” Sygnia stated. “This lack of monitoring creates vital challenges in figuring out and investigating malicious actions.”
The event comes as menace actors are exploiting a essential vulnerability affecting D-Hyperlink DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS rating: 9.8) – a path traversal difficulty resulting in data disclosure – to assemble account data reminiscent of names, passwords, teams, and descriptions for all customers.
“The exploit’s variations […] allow the extraction of account particulars from the machine,” menace intelligence agency GreyNoise stated. “The product is Finish-of-Life, so it will not be patched, posing long-term exploitation dangers. A number of XML information might be invoked utilizing the vulnerability.”
