Chinese ‘Velvet Ant’ Hackers Caught Exploiting New Zero-Day Flaw in Cisco Devices

A recently identified zero-day vulnerability affecting a popular line of Cisco devices was used in an attack in April by Chinese state-backed hackers.

Cisco and cybersecurity firm Sygnia on Monday issued advisories regarding CVE-2024-20399, a vulnerability affecting Cisco NX-OS software used for Nexus series switches that connect devices on a network.

Amnon Kushir, Sygnia’s incident response research lead, said they discovered the vulnerability as part of a larger forensic investigation involving a threat group they call Velvet Ant.

“The threat actors gathered administrator-level credentials to access Cisco Nexus switches and deploy previously unknown custom malware that allowed them to remotely connect to compromised devices, download additional files, and execute malicious code,” Kushir explained.

“We immediately reported this vulnerability and exploitation to Cisco and provided detailed information on how the attack unfolded.”

Cisco has released software updates that address the vulnerability, but said there is no workaround. The company said its Product Security Incident Response Team (PSIRT) was notified of an attempted exploitation in April.

The vulnerability affects multiple Cisco products running a vulnerable version of Cisco NX-OS Software.

Cisco Nexus switches are widely used in enterprise environments, including data centers, but most are not directly exposed to the Internet, Sygnia said. Network devices such as switches are often not adequately protected, and companies often fail to take other steps to protect themselves, Kushir added.

Kushir told Recorded Future News that Velvet Ant hackers likely first compromised the organization’s network before exploiting the vulnerability, calling it “another example of Velvet Ant’s sophistication and stealth when infiltrating network devices.” The group’s primary goal is espionage, and it focuses on establishing long-term access to a victim’s network.

In June, Sygnia wrote about another Velvet Ant campaign, in which hackers managed to maintain multiple footholds in the victim company’s environment for three years. The group used outdated F5 BIG-IP equipment to stay under the radar and obtain private data, including financial and customer information.

Learn more.