Velvet Ant Threat Group Exploits Zero-Day Vulnerability in Cisco Nexus Switches to Deploy Malware
On August 22, 2024, Sygnia released a detailed report uncovering a sophisticated cyber espionage campaign conducted by the China-nexus threat group "Velvet Ant." This group recently exploited a zero-day vulnerability (CVE-2024-20399) in Cisco Nexus Switch appliances
Introduction
On August 22, 2024, Sygnia released a detailed report uncovering a sophisticated cyber espionage campaign conducted by the China-nexus threat group "Velvet Ant." This group recently exploited a zero-day vulnerability (CVE-2024-20399) in Cisco Nexus Switch appliances, enabling them to deploy stealthy malware dubbed VELVETSHELL. The report highlights the advanced tactics used by Velvet Ant to maintain persistent access within compromised networks, evading detection and escalating their control over critical infrastructure.
Report Overview
Velvet Ant is a well-known China-nexus threat group with a history of conducting long-term, targeted cyber espionage operations. The group has evolved its tactics over the years, moving from exploiting vulnerabilities in traditional endpoints to targeting legacy systems and, more recently, network appliances. In a campaign observed earlier in 2024, Velvet Ant leveraged a zero-day exploit in Cisco Nexus Switches to infiltrate enterprise networks, gaining unauthorized access to the underlying Linux operating system and deploying malware designed to avoid detection.
The zero-day vulnerability CVE-2024-20399 resides in the NX-OS command-line interface (CLI) of Cisco Nexus Switches. The vulnerability allows an attacker with valid administrator credentials to bypass the CLI and execute arbitrary commands on the underlying Linux OS. Once exploited, Velvet Ant deployed the VELVETSHELL malware, which operates at the OS level and is nearly invisible to traditional security tools.
Sygnia's investigation revealed that the threat actors used Base64-encoded commands to exploit the vulnerability. They uploaded a malicious script that eventually loaded the VELVETSHELL malware. The attackers then executed various post-exploitation tasks, including renaming legitimate binaries to masquerade their activities and deleting traces of their presence.
Velvet Ant's exploitation of this zero-day vulnerability poses significant risks to organizations relying on Cisco Nexus Switches. By gaining control of the underlying OS, threat actors can manipulate network traffic, exfiltrate sensitive data, and maintain a persistent presence within the network. The stealthy nature of VELVETSHELL, combined with the use of legitimate administrative credentials, makes detection extremely challenging, potentially leaving organizations vulnerable to prolonged espionage activities.
Insights and Analysis
Sygnia's analysis highlights the importance of continuous monitoring and enhanced logging in network devices to detect advanced persistent threats. Using network appliances as a new vector for cyber attacks raises concerns about third-party hardware and software security within organizational infrastructures.
Organizations are advised to implement the following measures to mitigate the threat posed by Velvet Ant:
- Enhanced Logging and Monitoring: Ensure comprehensive logging of all activities on network appliances and regularly review logs for suspicious behaviour.
- Regular Software Updates: Apply patches and updates to all network devices as soon as they are released to minimize the risk of exploitation.
- Threat Hunting: Conduct systematic threat hunts focused on identifying signs of compromise within network devices, particularly those that could indicate the presence of VELVETSHELL or similar malware.
The discovery of Velvet Ant's exploitation of a zero-day vulnerability in Cisco Nexus Switches marks a significant escalation in the group's tactics. This highlights the need for organizations to remain vigilant and proactive in their cybersecurity efforts. By following the recommended preventative measures, organizations can better protect themselves from similar attacks and minimize the risk of long-term compromise.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
| /bootflash/id.txt | File path | Possibly used for storing malware-related information |
| /bootflash/1 | File path | Unusual file, could be part of malware artifacts |
| /root/ufdm | File path | Renamed curl binary used in the attack |
| /root/ufdm.so | File path | Malicious shared object (library) loaded by the attacker |
| /root/a | File path | Unspecified file, likely related to attack |
| /root/t | File path | Unspecified file, likely related to attack |
| /root/1 | File path | Unspecified file, likely related to attack |
| /root/2 | File path | Unspecified file, likely related to attack |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Valid Accounts | T1078 | Use of stolen or otherwise obtained valid administrator credentials to gain access |
| Execution | Command and Scripting Interpreter | T1059 | Execution of commands through CLI and exploitation of command injection vulnerability |
| Persistence | Implantation of Persistent Payload | T1547.015 | Loading of a malicious shared object to maintain persistence within the compromised device |
| Defense Evasion | Masquerading | T1036 | Renaming legitimate binaries to avoid detection (e.g., renaming curl to ufdm) |
| Discovery | System Information Discovery | T1082 | Use of system commands to discover network configurations and connected devices |
| Discovery | Network Service Scanning | T1046 | Probing and mapping network devices using extended ping commands |
| Collection | Data from Local System | T1005 | Accessing and potentially exfiltrating sensitive information from the compromised device |
| Command and Control | Proxy | T1090.002 | Utilizing the 3proxy functionalities embedded in VELVETSHELL for covert communication |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Exfiltrating data through an established command and control channel |
References
Sygnia
Comments ()