China-Linked ‘Velvet Ant’ Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches

Further evidence has surfaced of sophisticated actors increasingly compromising edge devices and network appliances to improve stealth and persistence: in this case an accomplished but little known China-nexus espionage group named Velvet Ant.

On July 1, 2024, Cisco released an advisory detailing a CLI command injection vulnerability affecting NX-OS software used by its Nexus switches. On the same day, Sygnia announced how it discovered and reported this vulnerability having been used by a China-nexus threat group it tracked as Velvet Ant. Sygnia has now released further information on Velvet Ant’s TTPs.

Velvet Ant is Sygnia’s name for the actor. The company has found no evidence to suggest that other researchers have studied the same group but given it a different name.

This Velvet Ant/ Cisco incident is a classic example of sophisticated actors attacking networks through edge or network appliances. Such devices are often designed to operate almost as black boxes with limited user access, often no logging, and no visibility to the security stack. The advantage to a successful attacker is dramatically increased stealth and persistence.

(See Forescout’s analysis of ‘risky devices’, including network appliances, in ‘Dangerous Liaisons…‘)

In a new blog, Sygnia describes how Velvet Ant has, over the years, transitioned to ‘deeper and darker’ parts of network infrastructures, culminating in this example with compromising Cisco switches. 

Nexus switches run NX-OS. This has a layered architecture comprising a limited CLI ‘application’ level, and an underlying Linux-based OS level. An authorized administrator uses the application level CLI for network management tasks, but does not (or should not) have direct access to the protected OS level. Administration of the switch is abstracted from OS and constrained to the limits of the CLI. The OS level handles the core system functions, running processes and managing resources that are critical to the switch’s operation. 

In terms of visibility, what happens in the OS level remains in the OS level – invisible to the administrator and the network security stack. “These switch appliances do not give the user access to the underlying operating system, making scanning for indicators of compromise nearly impossible,” point out the researchers. 

Advertisement. Scroll to continue reading.

Industrial Cybersecurity Conference

In this incident, Velvet Ant first gained access to the switch using valid administrator credentials, and then ‘jailbroke’ (using a command injection vulnerability) from the application level into the OS level. The actor had access to the network through the application level, and a hidden persistence in the OS level. 

The vulnerability has been assigned the CVE ID of CVE-2024-20399 but is still awaiting NVD analysis. The Cisco advisory gives it a medium severity rating, saying, “A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated user in possession of Administrator credentials to execute arbitrary commands as root on the underlying operating system of an affected device.”

With control of the switch, Velvet Ant was able to pivot directly to other devices on the network without resorting to the usual lateral movement methods – which is where most bad actor intrusions are detected. Velvet Ant’s purpose was espionage, but note that Sygnia’s use of the description ‘APT’ (used in conversation with SecurityWeek) is not meant to imply any evidence that Velvet Ant is a China state group – Sygnia currently describes it as a China-nexus rather than China-state actor. 

“This access provided the attackers with elevated control over the switch, enabling them to execute malicious scripts and manipulate the system beyond the intended administrative capabilities,” say the researchers.

Discovery of the vulnerability came as part of a larger forensic investigation into Velvet Ant’s espionage campaign. During this, Sygnia discovered suspicious Base64-encoded commands that were executed using valid administrative credentials. These had been used to load and execute a binary and were traced to the switch.

Velvet Ant was no longer present, and its practice is to remove evidence of residence after exploitation. Nevertheless, Sygnia was able to reconstruct the malware that had been used from the device memory. It has named this malware VelvetShell – a hybrid construction of two open source tools, TinyShell (a Unix backdoor) and 3proxy.

While these tools have a long history of separate malicious use, Velvet Ant had incorporated them into a single binary. In this combined format, it enabled the execution of arbitrary commands, the download and upload of files, and the creation of tunnels for proxying network traffic. In short, it provided extensive control over the compromised system, enabling both data exfiltration and persistent access.

The initial zero-day vulnerability, now patched by Cisco, is not easy to exploit. The attacker must have access to the network and administrator credentials to access the Nexus switch. This complexity explains why the Nexus vulnerability is only given a ‘medium’ critical rating in Cisco’s own advisory. However, if that much can be achieved, the attacker can leverage the vulnerability to access and control the switch operating system, and from there access and exploit other devices while remaining hidden from the network security stack.

Leave a Reply

Your email address will not be published. Required fields are marked *