Friend
Professional
- Messages
- 2,656
- Reaction score
- 863
- Points
- 113
Hackers use security blind spots for stealthy attacks.
In early 2024, the Chinese group Velvet Ant exploited a recently patched zero-day vulnerability in Cisco switches to gain control of devices and bypass threat detection systems.
The CVE-2024-20399 vulnerability (CVSS score 6.7) allowed attackers to inject unique malware and gain extensive control over the infected system, making it easier to steal data and maintain access.
According to Sygnia, Velvet Ant used the exploit to execute arbitrary commands on Linux running under the NX-OS shell. In order for the attack to be successful, the cybercriminals needed valid administrator credentials to access the switch's management console.
Sygnia first drew attention to the Velvet Ant group as part of a multi-year campaign against an organization in East Asia. In the campaign, Velvet Ant used legacy F5 BIG-IP devices to create durable access to the compromised environment.
The discovery of covert exploitation of the CVE-2024-20399 vulnerability occurred in early July, prompting Cisco to release security updates to address the issue. The Velvet Ant group has demonstrated a high level of technical expertise and the ability to adapt its methods, moving from infecting new Windows systems to outdated servers and network devices, thus avoiding detection.
According to Sygnia, switching to internal network devices is a new tactic for bypassing security systems. The latest attack chain included hacking a Cisco switch using the CVE-2024-20399 vulnerability, conducting reconnaissance operations, and executing a malicious script, which eventually led to the launch of a backdoor.
Dubbed VELVETSHELL, the malware is a combination of two open-source tools - the Tiny SHell Unix backdoor and the 3proxy proxy utility. The malware hides at the OS level and allows you to execute arbitrary commands, download and upload files, and install tunnels to proxy network traffic.
Velvet Ant's actions underscore the high degree of risk associated with the use of third-party hardware and applications on the corporate network. Often, such devices are a "black box" because they are mostly hidden from the user, making them a potential target for attackers.
Source
In early 2024, the Chinese group Velvet Ant exploited a recently patched zero-day vulnerability in Cisco switches to gain control of devices and bypass threat detection systems.
The CVE-2024-20399 vulnerability (CVSS score 6.7) allowed attackers to inject unique malware and gain extensive control over the infected system, making it easier to steal data and maintain access.
According to Sygnia, Velvet Ant used the exploit to execute arbitrary commands on Linux running under the NX-OS shell. In order for the attack to be successful, the cybercriminals needed valid administrator credentials to access the switch's management console.
Sygnia first drew attention to the Velvet Ant group as part of a multi-year campaign against an organization in East Asia. In the campaign, Velvet Ant used legacy F5 BIG-IP devices to create durable access to the compromised environment.
The discovery of covert exploitation of the CVE-2024-20399 vulnerability occurred in early July, prompting Cisco to release security updates to address the issue. The Velvet Ant group has demonstrated a high level of technical expertise and the ability to adapt its methods, moving from infecting new Windows systems to outdated servers and network devices, thus avoiding detection.
According to Sygnia, switching to internal network devices is a new tactic for bypassing security systems. The latest attack chain included hacking a Cisco switch using the CVE-2024-20399 vulnerability, conducting reconnaissance operations, and executing a malicious script, which eventually led to the launch of a backdoor.
Dubbed VELVETSHELL, the malware is a combination of two open-source tools - the Tiny SHell Unix backdoor and the 3proxy proxy utility. The malware hides at the OS level and allows you to execute arbitrary commands, download and upload files, and install tunnels to proxy network traffic.
Velvet Ant's actions underscore the high degree of risk associated with the use of third-party hardware and applications on the corporate network. Often, such devices are a "black box" because they are mostly hidden from the user, making them a potential target for attackers.
Source
