Chinese ‘Velvet Ant’ Hackers Caught Using New Zero-Day Code on Cisco Devices

A recently discovered zero-day vulnerability affecting a popular series of Cisco devices was exploited in an April attack by government-backed hackers from China.

Cisco and cybersecurity firm Sygnia on Monday issued advisories about CVE-2024-20399, a security flaw in the Cisco NX-OS software used in Nexus series switches that connect devices in a network.

Amnon Kushir, head of incident response research at Sygnia, said the discovery of the vulnerability came as part of a larger forensic investigation involving a criminal group called Velvet Ant.

“Threat actors harvested administrator-level credentials to access Cisco Nexus switches and deploy previously unknown custom malware that allowed them to remotely connect to infected devices, upload additional files, and execute malicious code,” Kushir explained.

“We immediately reported this vulnerability and its exploit to Cisco and provided detailed information about how the attack was carried out.”

Cisco has released software updates that patch the vulnerability, but noted that there are no workarounds. The company said its Product Security Incident Response Team (PSIRT) learned of the attempted exploit in April.

The vulnerability affects multiple Cisco products running a vulnerable version of Cisco NX-OS software.

Cisco Nexus switches are common in enterprise environments, especially data centers, according to Sygnia, but most of them aren’t directly exposed to the internet. Network devices like switches often lack sufficient protection, and organizations often don’t take other steps to protect themselves, Kushir added.

Kushir told Recorded Future News that Velvet Ant hackers likely first compromised the organization’s network before exploiting the vulnerability — calling it “another example of Velvet Ant’s sophistication and insidiousness in infiltrating network devices.” The group’s primary goal is espionage, and it focuses on establishing long-term access to a victim’s network.

In June, Sygnia wrote about another Velvet Ant campaign in which hackers were able to maintain multiple footholds in a victim company’s environment for three years. The group used outdated F5 BIG-IP hardware to go undetected and obtain private data, including financial and customer information.

Learn more.