Recently a Chinese threat group has been found exploiting a zero-day vulnerability in Cisco switches, enabling them to gain complete control over affected systems. This revelation has sent shockwaves through the cybersecurity community, underscoring the persistent and evolving threat posed by nation-state actors. The flaw, identified as CVE-2024-20399, had been undisclosed until recently, making it a potent tool in the hands of hackers before Cisco managed to patch it.
The group behind the attacks, known as Velvet Ant, has a history of sophisticated cyber espionage activities. Their latest campaign, observed earlier this year, involved the strategic weaponization of this newly discovered vulnerability to install custom malware, maintain persistent access, and siphon off sensitive data from compromised systems. The zero-day exploit’s impact is significant, with a CVSS score of 6.0, reflecting its potential for damage.
Understanding the Exploit
The exploit is particularly dangerous because it allows attackers with valid administrator credentials to bypass the Cisco NX-OS command line interface (CLI), which is typically the interface through which network administrators manage the switch. Once bypassed, the attackers can execute arbitrary commands on the underlying Linux operating system, essentially taking over the device. According to a report by Sygnia, an Israeli cybersecurity firm that uncovered the details, this flaw gives attackers an almost unrestricted foothold within the compromised environment, allowing for extensive manipulation and control.
This capability was utilized by Velvet Ant to install a piece of malware designed specifically for this campaign. The malware, embedded within the network’s architecture, enabled the group to carry out their activities undetected for a prolonged period, exfiltrating data and maintaining a covert presence within the system.
Velvet Ant’s Modus Operandi
Velvet Ant first came onto the radar of cybersecurity researchers due to its prolonged campaign against an unnamed organization in East Asia. This campaign, which spanned several years, demonstrated the group’s ability to leverage older, legacy systems—such as F5 BIG-IP appliances—to establish a foothold in the targeted environment. By exploiting these systems, the group could move laterally across the network, escalating their access and deploying their tools with precision.
The group’s exploitation of CVE-2024-20399 is a testament to their adaptability and technical prowess. Their operations reflect a high degree of sophistication, as they seamlessly transitioned from newer Windows systems to older, legacy Windows servers and network devices. This shift is indicative of their strategic approach to evasion, making it increasingly difficult for defenders to detect their activities. By operating from within internal network devices, Velvet Ant effectively minimized their digital footprint, thereby avoiding detection and ensuring the continuity of their espionage efforts.
The Attack Chain
The attack chain initiated by Velvet Ant is particularly alarming. It begins with the exploitation of the zero-day vulnerability in a Cisco switch, allowing them to gain a foothold in the network. Following this, the attackers conducted reconnaissance activities to map out the network, identify other vulnerable devices, and strategize their next moves. This reconnaissance was followed by the deployment of a backdoor binary via a malicious script, effectively embedding themselves within the network infrastructure.
The backdoor, known as VELVETSHELL, is a blend of two open-source tools: Tiny SHell, a Unix backdoor, and 3proxy, a proxy utility. Together, these tools provide the attackers with robust capabilities, including the execution of arbitrary commands, file transfers, and the establishment of tunnels to proxy network traffic. This backdoor not only facilitates ongoing access but also allows the attackers to manipulate and monitor network communications, further entrenching their presence in the compromised environment.
Implications for Cybersecurity
The Velvet Ant operation raises serious concerns about the vulnerabilities inherent in third-party appliances and applications that many organizations rely on. The “black box” nature of such devices—where the internal workings are not fully transparent to users—makes them particularly susceptible to exploitation. Each piece of hardware or software introduced into a network potentially expands the attack surface, offering adversaries new avenues for infiltration.
As this case illustrates, the consequences of such vulnerabilities can be severe, with attackers gaining deep access to critical systems, often going undetected for extended periods. It is a stark reminder that organizations must remain vigilant, not only in patching known vulnerabilities but also in closely monitoring the security of all third-party tools and devices within their networks.
Conclusion
The discovery of Velvet Ant’s exploitation of the Cisco zero-day vulnerability underscores the growing sophistication of nation-state cyber operations. As hackers continue to refine their tactics and exploit even the smallest cracks in cybersecurity defenses, it is crucial for organizations to adopt a proactive and comprehensive approach to security. This includes regular updates, thorough network monitoring, and a keen awareness of the risks posed by third-party appliances. The battle against cyber threats is unending, and staying ahead of attackers requires constant vigilance and adaptation.
Follow us on 
(Twitter) for real time updates and exclusive content.
Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated