Cybersecurity researchers at Sygnia have discovered that the China-linked Advanced Persistent Threat (APT) group known as Velvet Ant has successfully exploited a recently disclosed zero-day vulnerability in Cisco switches to compromise network appliances.
The Zero-Day Vulnerability: CVE-2024-20399

In July 2024, Cisco addressed a critical security flaw, identified as CVE-2024-20399, in its NX-OS software. This vulnerability, with a CVSS score of 6.0, allowed authenticated attackers to execute arbitrary commands as root on the underlying operating system of affected devices.

The vulnerability stems from insufficient validation of arguments passed to specific configuration CLI commands. Exploiting this flaw requires administrator credentials, highlighting the importance of robust credential management practices.
Velvet Ant’s Sophisticated Attack Strategy

Sygnia researchers observed Velvet Ant exploiting CVE-2024-20399 as a zero-day vulnerability in April 2024. The APT group leveraged valid administrator credentials to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system.

Following the initial exploit, Velvet Ant deployed a custom malware dubbed “VELVETSHELL” by Sygnia. This malware operates on the underlying OS and remains undetected by typical security tools, demonstrating the group’s advanced capabilities.
VELVETSHELL: A Hybrid Malware Threat

Sygnia managed to reconstruct the VELVETSHELL malware from device memory, despite the threat actor’s attempts to delete it. The malware is a sophisticated hybrid of two open-source tools: TinyShell and 3proxy.
VELVETSHELL’s capabilities include:

Executing arbitrary commands
Downloading and uploading files
Establishing network traffic tunnels

These functionalities allow Velvet Ant to maintain persistent access and control over compromised systems, facilitating data exfiltration and ongoing espionage activities.
Impacted Cisco Devices

The vulnerability affects several Cisco device families, including:

MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode

Mitigation and Response

Cisco recommends that customers monitor the use of credentials for administrative users, particularly network-admin and vdc-admin accounts. The company has also provided the Cisco Software Checker to help customers determine if their devices are vulnerable to this flaw.

In response to the severity of the threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-20399 to its Known Exploited Vulnerabilities (KEV) catalog.
Evolving Tactics of APT Velvet Ant

Sygnia’s research reveals a clear evolution in Velvet Ant’s tactics over time. The group has progressed from operating on ordinary endpoints to targeting legacy servers, and now focusing on network appliances using zero-day exploits.

This shift towards compromising network appliances presents unique challenges for defenders. These devices typically prevent users from accessing the underlying operating system, making it extremely difficult to scan for indicators of compromise using traditional methods.

The sophisticated nature of Velvet Ant’s operations underscores the ongoing threat posed by state-sponsored APT groups. Their ability to leverage zero-day vulnerabilities and develop custom malware tailored for network appliances demonstrates a high level of resources and expertise.