Cisco Nexus switches targeted by large-scale Chinese malware campaign
Zero-day was found granting unabated access to Chinese state-sponsored threat actors
Chinese threat actors have been found abusing a zero-day vulnerability in certain Cisco switches to take over the devices and install malware.
The findings come courtesy of Sygnia, which recently uncovered a new malicious campaign apparently undertaken by a Chinese state-sponsored threat actor known as Velvet Ant.
"The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code," Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer.
Monitoring login credentials
The vulnerability has since been patched, so if you’re using any of the below-mentioned models, make sure to apply the fix immediately.
The vulnerability is tracked as CVE-2024-20399 and, according to Cisco, can be abused by local attackers with admin privileges. It grants them the ability to run arbitrary commands with root permissions on NX-OS, the operating system powering the switches.
"This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command," Cisco said.
Here is the full list of vulnerable endpoints:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Besides being able to run arbitrary commands with root privileges, the vulnerability also allows the attackers to stay hidden while doing so, since it doesn’t trigger system syslog messages, it was said.
To look for signs of compromise, Cisco advises network administrators to keep track, and update, the login credentials of network-admin and vdc-admin users. Ultimately, they can use the Cisco Software Checker page to see if any of their devices are vulnerable.
More from TechRadar Pro
- Major vulnerability found in Cisco software could allow remote attacker to launch malware
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.