02 July 2024NewsroomCyber ​​Espionage / Vulnerability

Cisco switches on zero day.

A China-linked cyber espionage group called The velvet ant A zero-day flaw in the Cisco NX-OS software used in its switches has been exploited to deliver the malware.

gave weaknessTracked as CVE-2024-20399 (CVSS score: 6.0), concerns a command injection issue that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. allows to.

“By exploiting this vulnerability, Velvet Ant successfully executed previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices. Allowed,” cyber security firm Sygnia said In a statement shared with The Hacker News.

Cisco said the issue stems from insufficient validation of arguments that are passed to certain configuration CLI commands, which can be exploited by including input generated by an adversary as an argument to an affected configuration CLI command. Can be picked up.

Cyber ​​security

Furthermore, it enables a user with administrator privileges to execute commands without triggering system syslog messages, thus making it possible to hide the execution of shell commands on hacked devices.

Despite the flaw’s code execution capabilities, the low severity is due to the fact that successful exploitation requires an attacker to already be in possession of administrator credentials and have access to certain configuration commands. be The following devices are affected by CVE-2024-20399.

  • MDS 9000 Series Multilayer Switches
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 series switches, and
  • The Nexus 9000 series switches to standalone NX-OS mode.

Velvet Ant was first documented by an Israeli cyber security firm last month in connection with a cyber attack targeting an unnamed organization based in East Asia that persisted for nearly three years using outdated F5 BIG-IP appliances. was set up to stealthily steal customers. Financial information.

“Network devices, especially switches, are often not monitored, and their logs are often not sent to a central logging system,” Sygnia said. “This lack of oversight creates significant challenges in identifying and investigating malicious activity.”

Cyber ​​security

Development occurs when the threat actors are exploiting. Significant weakness Affecting D-Link DIR-859 Wi-Fi Routers (CVE-2024-0769CVSS score: 9.8) – to aggregate account information such as name, password, groups, and description for all users – a cross-path issue that leads to information disclosure.

“Variations of Exploitation. […] Enable extraction of account details from device,” threat intelligence firm GreyNoise said. “The product is end-of-life, so it will not be patched, which poses long-term exploit risks. Multiple XML files can be invoked using the vulnerability.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link