Data center
Image: Getty Images / Unsplash

China’s ‘Velvet Ant’ hackers caught exploiting new zero-day in Cisco devices

A newly identified zero-day vulnerability affecting a popular line of Cisco devices was used in an April attack by state-backed hackers from China. 

Cisco and cybersecurity firm Sygnia published advisories on Monday about CVE-2024-20399 — a vulnerability affecting the Cisco NX-OS software used for the Nexus-series switches that connect devices on a network. 

Sygnia incident response research manager Amnon Kushnir said they discovered the vulnerability as part of a larger forensic investigation involving a threat group they call Velvet Ant. 

“The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files and execute malicious code,” Kushnir explained.

“We immediately reported this vulnerability and exploitation to Cisco and provided detailed information about the attack flow.” 

Cisco has released software updates that address the vulnerability but they noted that there are no workarounds. The company said its Product Security Incident Response Team (PSIRT) became aware of attempted exploitation in April.

The vulnerability affects multiple Cisco products running a vulnerable release of Cisco NX-OS Software. 

According to Sygnia, Cisco Nexus switches are prevalent in enterprise environments, especially within data centers, but most are not directly exposed to the internet. Network devices like switches are often not sufficiently protected, and organizations frequently fail to take other steps to protect themselves, Kushnir added. 

He told Recorded Future News that the Velvet Ant hackers likely breached the organization’s network first before exploiting the vulnerability — calling it “another example of Velvet Ant’s sophistication and stealthiness when infiltrating network devices.” The group’s primary objective is espionage, and it focuses on establishing long-term access to a victim’s network.

In June, Sygnia wrote about another Velvet Ant campaign where the hackers were able to maintain multiple footholds within the victim company’s environment for three years. The group used outdated F5 BIG-IP equipment to stay under the radar and obtain private data, including financial and customer information.

Correction: A previous version of this article incorrectly spelled the last name of Sygnia's Amnon Kushnir.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.