August 22, 2024Ravie LakshmananNetwork Security / Zero-Day

Details have emerged of a cybercriminal group that exploited a recently disclosed, now patched, security flaw in Cisco switches as a zero-day to take control of the device and evade detection.

The activity, attributed to Velvet Ant, was observed earlier this year and involved the deployment of CVE-2024-20399 (CVSS score: 6.0) as a weapon to spread custom malware and gain extensive control over the compromised system, allowing for both data exfiltration and persistent access.

“The zero-day exploit allows an attacker with valid administrator credentials for the Switch management console to bypass the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system,” cybersecurity firm Sygnia said in a report shared with The Hacker News.

Velvet Ant first came to the attention of researchers at the Israeli cybersecurity firm in connection with a multi-year campaign targeting an anonymous organization in East Asia, using old F5 BIG-IP devices as a starting point for establishing persistence in the compromised environment.

The malicious actor’s stealth exploitation of CVE-2024-20399 came to light early last month, prompting Cisco to release security updates to patch the flaw.

What is striking about the group’s craftsmanship is the level of sophistication and shape-shifting tactics they employ. Initially, they infiltrate new Windows systems, but later move on to older Windows servers and network devices in an attempt to remain undetected.

“The transition to working with internal network devices marks a new escalation in the evasion techniques used to ensure the continuation of the espionage campaign,” Sygnia said.

The latest attack chain consists of breaking into a Cisco switching device using CVE-2024-20399 and performing reconnaissance activities. Then, it moves to more network devices and finally executes a backdoor binary using a malicious script.

The payload, called VELVETSHELL, is a portmanteau of two open-source tools, a Unix backdoor called Tiny SHell and a proxy utility called 3proxy. It also supports capabilities to execute arbitrary commands, download/upload files, and create tunnels for proxying network traffic.

“The modus operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party devices and applications that organizations have on board,” the company said. “Due to the ‘black box’ nature of many devices, every piece of hardware or software has the potential to become an attack surface that an adversary can exploit.”