A Chinese state-sponsored cyberespionage group tracked as Velvet Ant exploited a zero-day vulnerability in Cisco NX-OS earlier this year to deploy a custom malware implant on an organization’s network switches, according to researchers from security firm Sygnia.
The backdoor was injected into memory by masquerading a known process and was deleted from the file system afterwards in order to prevent detection and forensic analysis.
“Over the years of espionage activities Velvet Ant increased their sophistication, using evolving tactics to continue their cyber operations in a victim network — from operating on ordinary endpoints, shifting operations to legacy servers and finally moving towards network appliances and using 0-days,” Sygnia said in a report that analyzes the malware.
The Sygnia researchers were the ones who first spotted the vulnerability being exploited during an investigation into a company’s network and reported it to Cisco. The flaw is tracked as CVE-2024-20399 and Cisco started releasing patches for the affected series of Nexus switches in early July.
Attackers are making use of a medium-severity flaw
What’s interesting is that CVE-2024-20399 is not an unauthenticated remote code execution vulnerability and in fact requires administrator credentials to exploit. Because of that, it is rated as only medium severity.
However, attackers do not only go for critical flaws but also take advantage of any security issue that they find that can give them an advantage. In this particular case, the NX-OS software platform that runs on Nexus switches is intentionally designed not to give users direct shell access to the underlying Linux-based operating system. Instead, users, including admins, interact with the device only through a web-based interface — the application layer.
The CVE-2024-20399 vulnerability breaks that separation because it allows attackers who have administrator credentials to inject commands that will execute as root on the underlying OS by passing them as arguments to configuration commands. It is a flaw that enables lateral movement and persistence into environments where the attackers have already established a foothold and managed to extract credentials from other compromised systems.
For threat actors, the advantage of compromising network appliances is that they don’t offer a lot of visibility to customers which means any malicious code deployed on them will be highly stealthy and persistent. There are no antivirus products that run on these devices and in some cases, like with Nexus switches, customers don’t have access to the underlying OS in order to run detection tools.
The Velvet Ant group in particular has also exploited legacy F5 BIG-IP appliances in the past, so this persistence tactic is definitely part of its arsenal.
The attack demonstrates the sophistication of Velvet Ant’s tactics
Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file called ufdm.so. On Linux systems .so files are shared object libraries that are loaded by other processes, while ufdm is the name of a legitimate file on NX-OS.
After creating their malicious library, the attackers replaced the legitimate ufdm file with curl, another legitimate Linux tool for downloading files and added their ufdm.so library to the LD_PRELOAD environment variable which can be used to override the location of standard libraries. They then executed the now fake/root/ufdm process, which loaded their malicious ufdm.so library into memory.
After running some commands to make sure the process is running their implant is creating the correct network connections, they delete the renamed ufdm and ufdm.so files from disk in order to cover their tracks.
“This sequence highlights the sophistication and stealth of the threat actor’s operations during the post-exploitation phase,” the researchers said.
The Sygnia researchers managed to dump the device memory and reconstruct the malicious code. It consisted of copies of a known Unix backdoor program called TinyShell and a proxy tool called 3proxy. While both of these tools have been used separately in attacks in the past, it looks like Velvet Ant combined them into a single custom binary. “The determination, adaptability and persistence of such threat actors highlights the sensitivity of a holistic response plan to not only contain and mitigate the threat but also monitor the network for additional attempts to exploit the network,” the researchers said.