Cisco Nexus switches targeted by large-scale Chinese malware campaign

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Chinese threat actors have been found abusing a zero-day vulnerability in certain Cisco switches to take over the devices and install malware.

The findings come courtesy of Sygnia, which recently uncovered a new malicious campaign apparently undertaken by a Chinese state-sponsored threat actor known as Velvet Ant. 

"The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code," Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer.

Monitoring login credentials

The vulnerability has since been patched, so if you’re using any of the below-mentioned models, make sure to apply the fix immediately.

The vulnerability is tracked as CVE-2024-20399 and, according to Cisco, can be abused by local attackers with admin privileges. It grants them the ability to run arbitrary commands with root permissions on NX-OS, the operating system powering the switches. 

"This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command," Cisco said.

Here is the full list of vulnerable endpoints:

MDS 9000 Series Multilayer Switches

Nexus 3000 Series Switches

Nexus 5500 Platform Switches

Nexus 5600 Platform Switches

Nexus 6000 Series Switches

Nexus 7000 Series Switches

Nexus 9000 Series Switches in standalone NX-OS mode

Besides being able to run arbitrary commands with root privileges, the vulnerability also allows the attackers to stay hidden while doing so, since it doesn’t trigger system syslog messages, it was said. 

To look for signs of compromise, Cisco advises network administrators to keep track, and update, the login credentials of network-admin and vdc-admin users. Ultimately, they can use the Cisco Software Checker page to see if any of their devices are vulnerable.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.