Cisco warns of NX-OS zero-day exploited to deploy custom malware

Exploitation and Malware Deployment: Cisco patched a zero-day vulnerability in NX-OS that was exploited by threat actors to install previously unknown malware on vulnerable switches.

Sygnia's Report: Cybersecurity firm Sygnia reported the attacks to Cisco and linked them to a Chinese state-sponsored threat group known as Velvet Ant.

Attack Details: Attackers gained access to Cisco Nexus switches using administrator-level credentials, deploying custom malware that allowed remote access and execution of malicious code.

 Vulnerability Description: The vulnerability  allowed local attackers with Administrator privileges to execute arbitrary commands with root permissions due to insufficient validation of CLI command arguments.

Impacted Devices: Multiple Cisco switches running vulnerable NX-OS software were affected, including Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches in standalone NX-OS mode.

Concealment of Compromise: The flaw enabled attackers to execute commands without triggering system syslog messages, helping them conceal signs of compromise on hacked devices.

Cisco's Recommendations: Cisco advised customers to monitor and regularly change credentials for administrative users and provided tools to check devices for exposure to the vulnerability.

Context of Previous Exploitations: Earlier, Cisco had warned about state-backed groups exploiting other zero-day vulnerabilities in ASA and FTD firewalls, indicating a broader campaign targeting government networks.