July 1, 2024 at 01:48PM
Cisco patched an NX-OS zero-day vulnerability used in April attacks to install new malware on susceptible switches. Sygnia attributed the attacks to a Chinese state-sponsored group called Velvet Ant. The exploit allowed the threat actors to gain access, upload files, and execute malicious code. Cisco advises monitoring and changing administrative credentials regularly.
Based on the meeting notes, here are the key takeaways:
1. Cisco has patched a zero-day vulnerability (CVE-2024-20399) in NX-OS software that was exploited by a state-sponsored threat actor identified as Velvet Ant. The vulnerability allowed attackers to gain root access to vulnerable Cisco Nexus switches and deploy custom malware for remote exploitation.
2. Impacted devices include MDS 9000 Series, Nexus 3000 Series, Nexus 5500 Platform, Nexus 5600 Platform, Nexus 6000 Series, Nexus 7000 Series, and Nexus 9000 Series in standalone NX-OS mode.
3. The security flaw also allows attackers to execute commands without triggering system syslog messages, enabling them to conceal signs of compromise on hacked NX-OS devices.
4. Cisco recommends customers to monitor and regularly change the credentials of network-admin and vdc-admin administrative users. Admins can use the Cisco Software Checker page to determine whether devices on their network are exposed to attacks targeting the vulnerability.
5. A separate incident involved state-backed hacking group UAT4356 and STORM-1849 exploiting zero-day bugs (CVE-2024-20353 and CVE-2024-20359) in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls in a campaign targeting government networks worldwide.
6. Velvet Ant, the threat actor involved in the NX-OS vulnerability, has also targeted F5 BIG-IP appliances with custom malware in a cyberespionage campaign, stealing sensitive customer and financial information over three years.
These takeaways summarize the key security incidents and vulnerabilities discussed in the meeting.