close
close

Cisco Nexus Zero Day Devices Trigger Alarms Despite CVSS Score

Posted on by darion

Brief description of the dive:

  • A suspected cybercriminal with ties to China is actively exploiting a zero-day vulnerability in Cisco NX-OS software, researchers said Monday.
  • The suspected actor, dubbed Velvet Ant, is exploiting a command injection vulnerability identified as CVE-2024-20399which, according to Sygnia researchers, affects a wide range of Cisco Nexus devices. The vulnerability has a CVSS score of 6.0, but researchers warn that the threat actor is very sophisticated and deploys custom malwareSignaling.
  • Cisco on Monday Software updates have been released for some NX-OS hardware platformsand will continue to release additional patches as they become ready. The company said there are no other workarounds to fix the vulnerability.

Diving Insight:

Sygnia discovered the vulnerability as part of a broader investigation into Velvet Ant’s espionage activities. It determined that the cybercriminal had been operating on the victim’s computer network for three years.

During an earlier investigation, investigators found that a suspected state-sponsored actor maintained a legacy of persistence The F5 BIG-IP device that was exposed to the Internet.

Sygnia detected the threat against Cisco Nexus devices earlier this year and reported it to the company.

Cisco Nexus devices are often used as backbone switches for data centers, according to Amnon Kushnir, director of incident response at Sygnia. The ability for a hacker to gain root access to a Linux-based operating system and deploy custom malware makes threat activity particularly challenging.

Network devices — and switches in particular — are often not monitored, and logs are typically not sent to a centralized logging system, according to researchers at Sygnia. The custom malware allowed the hacker to “enable code execution and traffic tunneling,” so once the malware was deployed, hackers no longer had to log in to access the network.

The Cybersecurity and Infrastructure Security Agency has added the bug to its catalog of known exploits. The flaw could allow an attacker to execute arbitrary commands with root privileges. However, attackers must have root privileges to exploit the flaw.