China-Nexus Cyber Spies Velvet Ant Exploit Cisco Zero-Day to Execute Malicious Code

Written by Lore Apostol
Published on July 2, 2024

A China-nexus cyber-espionage group has been observed exploiting a zero-day vulnerability in Cisco NX-OS Software to deliver malware, a Sygnia report says, attributing the exploit to the Velvet Ant threat actor. The newly discovered CVE-2024-20399 command injection flaw affects a wide range of Cisco Nexus switches, for which this operating system is specifically used.

NX-OS is based on a Linux kernel but provides its own set of commands using the NX-OS CLI. An attacker would need a “jailbreak” type of vulnerability to escape the NX-OS CLI context and execute commands on the Linux OS from the Switch management console, and CVE-2024-20399 permits arbitrary code execution leveraging valid administrator credentials.

The cybercriminal group exploited this vulnerability as a ‘zero-day’ and executed commands on the Cisco Nexus devices’ operating system to deploy previously unknown custom malware, which permitted remote access to the compromised devices, uploading additional files, and remote code executions.

This medium-severity vulnerability impacts MDS 9000 Series Multilayer, Nexus 3000 Series, Nexus 5500 Platform, Nexus 5600 Platform, Nexus 6000 Series, Nexus 7000 Series, and Nexus 9000 Series switches in standalone NX-OS mode.

Velvet Ant was seen compromising Internet-exposed legacy F5 BIG-IP appliances to maintain access to the target network of an unnamed organization located in East Asia for about three years. The threat actor achieved remarkable persistence within the environment of one victim company and hijacked execution flow via DLL search order hijacking, Phantom DLL loading, and DLL sideloading for espionage.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: