close
close

Chinese Velvet Ant uses Cisco Zero-Day to deliver customized malware

Chinese Velvet Ant uses Cisco Zero-Day to deliver customized malware
Posted on | Posted on Theodore

A Chinese cyber espionage group was observed spreading customized malware after jailbreaking a Cisco switch device using a recently discovered zero-day exploit.

While investigating the attack techniques of Velvet Ant, a suspected Chinese-sponsored advanced persistent threat (APT) group, cybersecurity firm Sygnia discovered in July 2024 that the group had exploited a zero-day command injection vulnerability in Cisco’s NX-OS (CVE-2024-20399).

NX-OS is a network operating system specifically designed for Cisco Nexus series switches.

In a new report on August 22, Sygnia reveals that the threat actor used the zero-day exploit to distribute customized malware.

Using a zero-day attack to spread malware

The zero-day exploit allows an attacker with valid administrative credentials for the switch management console to break out of the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system.

By exploiting this vulnerability, Velvet Ant was able to compromise and control local Cisco switch devices and use them as a central hub for accessing additional network devices, allowing for clear identification of additional activity originating from known compromised locations.

Once exploited, Velvet Ant deployed customized malware that runs on the underlying operating system and is invisible to common security tools.

The malware, called VelvetShell by Sygnia, is a hybrid, customized version of two open source tools: TinyShell, a Unix backdoor, and a proxy tool called 3proxy.

This escalating evasion tactic allows the APT group to maintain long-term network persistence, which is critical when conducting a cyber espionage campaign.

Cisco released a fix for this vulnerability on July 1, 2024.

A few days later, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog.

Velvet Ant’s multi-year intrusion campaigns

This zero-day exploit was part of a multi-year intrusion campaign discovered by Sygnia in 2023.

The campaign involved exploiting multiple access points in the target organizations’ networks.

This sophisticated approach indicates a comprehensive understanding of the target’s environment, Sygnia noted in its campaign analysis.

“Over the years of espionage activities, Velvet Ant has increased its sophistication and uses evolving tactics to continue its cyber operations on a victim network – from operating on ordinary endpoints, to moving operations to legacy servers, to moving to network devices and using zero-day attacks,” the company commented.

“The determination, adaptability and persistence of such threat actors underscores the importance of a holistic response plan that not only contains and mitigates the threat, but also monitors the network for further attempts to exploit the network,” the Sygnia researchers concluded.

Photo credit: pchow98/Flickr

Leave a Reply

Your email address will not be published. Required fields are marked *