A China-nexus cyberthreat organization dubbed Velvet Ant has been exploiting a recently disclosed vulnerability in Cisco switches as a zero-day to take control of systems and evade detection, reports The Hacker News.
The flaw, tracked as CVE-2024-20399 with a CVSS score of 6.0, allows attackers with valid admin credentials to bypass the NX-OS command line interface and execute arbitrary commands on the underlying Linux OS, said cybersecurity firm Sygnia, which detected the activity earlier this year.
The attackers used custom malware to exfiltrate data and maintain persistent access, leveraging legacy F5 BIG-IP appliances and moving from new Windows systems to older servers and network devices. Their tactics included the use of a payload called VELVETSHELL that combines a Unix backdoor called Tiny SHell and a proxy utility dubbed 3proxy, which enables command execution, file transfers, and network traffic proxying.
The group's activity "highlights risks and questions regarding third-party appliances and applications that organizations onboard," Sygnia said. "Due to the 'black box' nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit."