Novel Cisco NX-OS zero-day leveraged by Chinese hackers

Chinese state-backed hacking group Velvet Ant targeted Cisco network switches with NX-OS software impacted by the newly discovered zero-day, tracked as CVE-2024-20399, as part of a cyberespionage attack in April, according to The Record, a news site by cybersecurity firm Recorded Future.

Exploitation of the vulnerability, which was reported by Sygnia researchers and has since been addressed by Cisco, enabled threat actors with admin-level credentials to compromise susceptible Cisco switches with custom malware that facilitated remote connections with impacted devices, file uploads, and code execution, said Sygnia Incident Response Research Manager Amnon Kushir. Potential network compromise preceding abuse of the security issue was also noted by Kushir to be indicative of the elevated sophistication and stealth of Velvet Ant's operations.

Such a development comes weeks after the threat group was reported by Sygnia to have obtained prolonged network persistence through the compromise of legacy F5 BIG-IP appliances in another attack campaign.