August 22, 2024 at 12:18PM
A China-nexus threat group, Velvet Ant, exploited a recently patched security flaw in Cisco switches as a zero-day, enabling extensive system control and evasion of detection. This involved weaponizing CVE-2024-20399 to deliver bespoke malware, facilitate data exfiltration, and establish persistent access. The attackers’ sophisticated tactics and use of open-source tools highlight the risks posed by third-party applications.
From the meeting notes, it is clear that there is a serious network security threat posed by a China-nexus threat group known as Velvet Ant. They have been observed exploiting a recently disclosed security flaw in Cisco switches (CVE-2024-20399) as a zero-day in order to gain control of the appliance and evade detection.
The threat group has demonstrated a high level of sophistication and shape-shifting tactics. They have targeted an unnamed organization located in East Asia and have utilized legacy F5 BIG-IP appliances as a vantage point for setting up persistence in the compromised environment.
One notable aspect of their tradecraft is their ability to infiltrate new Windows systems and then move to legacy Windows servers and network devices to avoid detection. Their latest attack chain involves exploiting the CVE-2024-20399 vulnerability in a Cisco switch, conducting reconnaissance activities, and ultimately executing a backdoor binary using a malicious script.
The payload, known as VELVETSHELL, is a combination of two open-source tools, Tiny SHell and 3proxy, providing capabilities for executing arbitrary commands, downloading/uploading files, and establishing tunnels for network traffic proxying.
The company Sygnia has issued a report highlighting the risks associated with third-party appliances and applications that organizations onboard, emphasizing the potential attack surface that adversaries can exploit due to the ‘black box’ nature of many appliances.
This is a critical security threat that should be taken seriously, and immediate action should be taken to address the CVE-2024-20399 vulnerability and monitor for any unauthorized activities or potential compromise by the Velvet Ant threat group.