Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches.
Cybersecurity firm Sygnia, who reported the incidents to Cisco, linked the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant.
Cisco says the vulnerability can be exploited by local attackers with Administrator privileges to execute arbitrary commands with root permissions on vulnerable devices' underlying operating systems.
The security flaw also enables attackers to execute commands without triggering system syslog messages, thus allowing them to conceal signs of compromise on hacked NX-OS devices.
Cisco advises customers to monitor and change the credentials of network-admin and vdc-admin administrative users regularly.
Admins can use the Cisco Software Checker page to determine whether devices on their network are exposed to attacks targeting the CVE-2024-20399 vulnerability.
In April, Cisco also warned that a state-backed hacking group had been exploiting multiple zero-day bugs in Adaptive Security Appliance and Firepower Threat Defense firewalls since November 2023 in a campaign dubbed ArcaneDoor targeting government networks worldwide.
At the time, the company added that it also found evidence the hackers had tested and developed exploits to target the zero-day flaws since at least July 2023.
They exploited the vulnerabilities to install previously unknown malware that allowed them to maintain persistence on compromised ASA and FTD devices.
Cisco said that it had yet to identify the initial attack vector used by the attackers to breach the victims' networks.
Last month, Sygnia said Velvet Ant targeted F5 BIG-IP appliances with custom malware in a cyberespionage campaign.
In this campaign, they used persistent access to their victims' networks to stealthily steal sensitive customer and financial information for three years while avoiding detection.
Hackers use F5 BIG-IP malware to stealthily steal data for years.
Chinese hackers breached 20,000 FortiGate systems worldwide.
Microsoft fixes Windows zero-day exploited in QakBot malware attacks.
New Unfurling Hemlock threat actor floods systems with malware.
Snowblind malware abuses Android security feature to bypass security.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 01 Jul 2024 17:50:23 +0000