Cybersecurity researchers have uncovered a threat group, known as Velvet Ant, exploiting a recently disclosed zero-day vulnerability in Cisco switches. The flaw, identified as CVE-2024-20399, allows attackers with valid administrator credentials to escape the command line interface and execute arbitrary commands on the underlying Linux operating system.
The vulnerability was weaponized by Velvet Ant to deliver bespoke malware and gain extensive control over compromised systems, facilitating data exfiltration and persistent access. The group’s tactics include shape-shifting techniques, initially targeting new Windows systems before moving to legacy Windows servers and network devices to evade detection.
Cisco released a security update after the flaw came to light, prompting Velvet Ant to pivot its attack chain. The latest attack involves breaking into Cisco switch appliances using CVE-2024-20399, conducting reconnaissance activities, and ultimately executing a backdoor binary via malicious script.
The payload, dubbed VELVETSHELL, is an amalgamation of open-source tools, supporting capabilities for arbitrary command execution, file download/upload, and tunnel establishment. The modus operandi of Velvet Ant highlights the risks associated with third-party appliances and applications, which can become attack surfaces for adversaries to exploit.
Source: https://thehackernews.com/2024/08/chinese-hackers-exploit-zero-day-cisco.html?m=1