Exploitation and Malware Deployment: Cisco patched a zero-day vulnerability in NX-OS that was exploited by threat actors to install previously unknown malware on vulnerable switches.
Sygnia's Report: Cybersecurity firm Sygnia reported the attacks to Cisco and linked them to a Chinese state-sponsored threat group known as Velvet Ant.
Attack Details: Attackers gained access to Cisco Nexus switches using administrator-level credentials, deploying custom malware that allowed remote access and execution of malicious code.
Vulnerability Description: The vulnerability allowed local attackers with Administrator privileges to execute arbitrary commands with root permissions due to insufficient validation of CLI command arguments.
Impacted Devices: Multiple Cisco switches running vulnerable NX-OS software were affected, including Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches in standalone NX-OS mode.
Concealment of Compromise: The flaw enabled attackers to execute commands without triggering system syslog messages, helping them conceal signs of compromise on hacked devices.
Cisco's Recommendations: Cisco advised customers to monitor and regularly change credentials for administrative users and provided tools to check devices for exposure to the vulnerability.
Context of Previous Exploitations: Earlier, Cisco had warned about state-backed groups exploiting other zero-day vulnerabilities in ASA and FTD firewalls, indicating a broader campaign targeting government networks.