China-Nexus Group Velvet Ant Exploits Cisco Zero-Day (CVE-2024-20399)
At the beginning of 2024, the Chinese group Velvet Ant exploited a patched zero-day vulnerability (CVE-2024-20399, CVSS 6.7) in Cisco switches to gain control over devices and bypass threat detection systems.
This vulnerability allowed the attackers to implant a unique malware and achieve extensive control over the compromised system, facilitating both data theft and persistent access.
According to Sygnia, Velvet Ant leveraged the exploit to execute arbitrary commands on Linux, operating under the NX-OS shell. To successfully carry out the attack, the cybercriminals required valid administrator credentials to access the switch’s management console.
Sygnia first became aware of the Velvet Ant group during a years-long campaign targeting an organization in East Asia. Throughout the campaign, Velvet Ant exploited outdated F5 BIG-IP devices to establish enduring access to the compromised environment.
The covert exploitation of CVE-2024-20399 was detected in early July, prompting Cisco to release security updates to address the issue. Velvet Ant demonstrated a high level of technical sophistication and the ability to adapt their methods, shifting from infecting new Windows systems to targeting legacy servers and network devices, thereby evading detection.
Sygnia’s experts believe that the shift towards exploiting internal network devices represents a new tactic for circumventing security measures. The latest attack sequence involved compromising a Cisco switch using CVE-2024-20399, conducting reconnaissance operations, and executing a malicious script, which ultimately led to the deployment of a backdoor.
Snippet from ‘IDA’ decompile software, showing the reconstructed VELVETSHELL malware functions, which include 3proxy functionalities. | Image: Sygnia
The malware, named VELVETSHELL, is a combination of two open-source tools: the Unix backdoor Tiny SHell and the proxy utility 3proxy. The malware operates stealthily at the OS level, enabling arbitrary command execution, file uploads, and downloads, as well as establishing tunnels for proxying network traffic.
The activities of Velvet Ant underscore the significant risks associated with the use of third-party hardware and applications within corporate networks. Such devices often function as a “black box,” largely hidden from the user, making them a potential target for attackers.
