In a revelation that underscores the growing sophistication of cyber espionage tactics, cybersecurity firm Sygnia has uncovered a China-nexus threat group, dubbed ‘Velvet Ant,’ leveraging a zero-day exploit to infiltrate Cisco Nexus switches. The exploit, identified as CVE-2024-20399, allows the attackers to gain control of these network devices and maintain long-term persistence, evading traditional security measures.
A New Level of Stealth
Earlier this year, Sygnia observed Velvet Ant utilizing the zero-day vulnerability to compromise on-premises Cisco switch appliances. The exploit enables attackers with valid administrative credentials to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system of the switches. This breach allows them to deploy customized malware, which remains hidden from typical security tools, thereby providing the attackers with a stealthy foothold within targeted networks.
Velvet Ant's operations have been described as a multi-year intrusion campaign, highlighting a clear evolution in their tactics. Initially, the group targeted legacy Windows systems with inadequate security logging capabilities, such as Windows 2003 servers. These systems provided a convenient hiding spot due to their outdated security features, enabling Velvet Ant to evade detection for extended periods.
As they adapted their strategies, Velvet Ant shifted to exploiting network appliances like F5 BIG-IP devices. This transition allowed them to operate from within critical infrastructure components, using these ‘black boxes’ to evade standard monitoring and detection tools. Now, with their latest campaign targeting Cisco Nexus switches, they have reached a new level of stealth and persistence.
Exploiting Cisco Nexus Switches
The latest attacks reveal that Velvet Ant has been exploiting the newly discovered vulnerability in Cisco’s NX-OS software, which is designed specifically for the Nexus-series switches. The NX-OS operates with a layered architecture: an application layer accessible to administrators through the CLI, and an underlying Linux OS layer that remains hidden from end users. The exploit discovered by Velvet Ant allowed them to bypass the restrictions of the application layer and manipulate the underlying OS directly.
During the investigation, Sygnia identified that Velvet Ant used the zero-day vulnerability to inject malicious commands via the CLI, loading and executing a backdoor named ‘VELVETSHELL.’ This malware, which was disguised as legitimate system files, provided the attackers with extensive control over the compromised devices. The malware's capabilities included executing arbitrary commands, downloading and uploading files, and creating network tunnels for data exfiltration.
Sophisticated Post-Exploitation Tactics
The post-exploitation tactics employed by Velvet Ant demonstrate a high level of sophistication and attention to detail. After gaining access to the underlying Linux OS, the attackers deployed VELVETSHELL and carefully obfuscated their activities to avoid detection. They manipulated environment variables to load malicious libraries, checked running processes and network connections to ensure their malware was functioning correctly, and meticulously removed traces of their intrusion by deleting logs and binaries used in the attack.
Despite the attackers' efforts to cover their tracks, Sygnia’s forensic team was able to reconstruct the VELVETSHELL malware from the device memory. Analysis revealed that the malware is a hybrid of two open-source tools: TinyShell, a Unix backdoor, and 3proxy, a proxy tool. This combination provided Velvet Ant with a versatile toolkit for maintaining control over compromised devices and conducting further operations.
Implications for Network Security
The discovery of Velvet Ant's activities raises significant concerns about the security of network appliances and the potential for similar attacks in the future. Cisco Nexus switches, like many network devices, are designed to be highly secure, but the existence of a zero-day exploit and the attackers' ability to remain undetected for years highlights the need for enhanced security measures.
Sygnia recommends organizations bolster their defenses by enhancing logging, implementing continuous monitoring, and conducting regular threat hunts, particularly at key network choke points. These measures can help detect and counteract advanced persistent threats like Velvet Ant.
As Velvet Ant continues to evolve its tactics, the cybersecurity community must remain vigilant. The group's ability to adapt and persistently exploit vulnerabilities underscores the importance of a proactive, holistic approach to network security, focusing not only on containment and mitigation but also on ongoing monitoring for potential threats.
Comentarios