Subj : Cisco Nexus switches targeted by large-scale Chinese malware camp
To   : All
From : TechnologyDaily
Date : Tue Jul 02 2024 15:00:05

Cisco Nexus switches targeted by large-scale Chinese malware campaign

Date:
Tue, 02 Jul 2024 13:49:00 +0000

Description:
A zero-day was found granting unabated access to Chinese state-sponsored 
threat actors known as Velvet Ant.

FULL STORY
======================================================================

Chinese threat actors have been found abusing a zero-day vulnerability in 
certain Cisco switches to take over the devices and install malware . 

The findings come courtesy of Sygnia, which recently uncovered a new 
malicious campaign apparently undertaken by a Chinese state-sponsored threat 
actor known as Velvet Ant. 

"The threat actors gathered administrator-level credentials to gain access to 
Cisco Nexus switches and deploy a previously unknown custom malware that 
allowed them to remotely connect to compromised devices, upload additional 
files and execute malicious code," Amnon Kushnir, Director of Incident 
Response at Sygnia, told BleepingComputer . Monitoring login credentials 

The vulnerability has since been patched, so if youre using any of the 
below-mentioned models, make sure to apply the fix immediately. 

The vulnerability is tracked as CVE-2024-20399 and, according to Cisco, can 
be abused by local attackers with admin privileges. It grants them the 
ability to run arbitrary commands with root permissions on NX-OS, the 
operating system powering the switches. 

"This vulnerability is due to insufficient validation of arguments that are 
passed to specific configuration CLI commands. An attacker could exploit this 
vulnerability by including crafted input as the argument of an affected 
configuration CLI command," Cisco said. 

Here is the full list of vulnerable endpoints: 

MDS 9000 Series Multilayer Switches

Nexus 3000 Series Switches

Nexus 5500 Platform Switches

Nexus 5600 Platform Switches

Nexus 6000 Series Switches

Nexus 7000 Series Switches

Nexus 9000 Series Switches in standalone NX-OS mode 

Besides being able to run arbitrary commands with root privileges, the 
vulnerability also allows the attackers to stay hidden while doing so, since 
it doesnt trigger system syslog messages, it was said. 

To look for signs of compromise, Cisco advises network administrators to keep 
track, and update, the login credentials of network-admin and vdc-admin 
users. Ultimately, they can use the Cisco Software Checker page to see if any 
of their devices are vulnerable. More from TechRadar Pro Major vulnerability 
found in Cisco software could allow remote attacker to launch malware Here's 
a list of the best firewalls today These are the best endpoint protection 
tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/cisco-nexus-switches-targeted-by-large-
scale-chinese-malware-campaign


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.