Sygnia Reveals a Vulnerability in Cisco's Operating System
Sygnia discovered a vulnerability used for espionage by the Chinese hacker group Velvet Ant and immediately reported it to Cisco after an extensive investigation
The Israeli cyber company Sygnia has revealed a vulnerability in Cisco's NX-OS software, which affects a wide variety of Cisco Nexus devices used by many organizations in Israel and around the world. The security breach, carried out by the Chinese hacker group Velvet Ant, is considered one of the most sophisticated in the world. Sygnia researchers discovered the vulnerability and reported it to Cisco, providing detailed information about the attack, which was conducted for espionage purposes.
The vulnerability was identified during an extensive investigation by a team of Sygnia researchers after they were called to assist a client attacked by the Velvet Ant group. By exploiting this vulnerability, the Chinese hacker group was able to run malware they created themselves. This previously unknown software allowed hackers to remotely connect to compromised Cisco Nexus devices, upload additional files, and run malicious code. The vulnerability enables an attacker with admin access to Cisco communication equipment to run arbitrary commands directly on the Linux operating system underlying the Cisco OS, "jumping" between the Cisco layer and the Linux layer.
"In order to hide better on the network, the attackers switched to using the existing Cisco Nexus devices within the attacked organization," explains Oren Biderman, IR team leader and technical lead at Sygnia. "This time, the attackers used these devices to hide within the organization and to launch attacks within the network, as most organizations do not monitor cyber threats in their communication equipment."
Network appliances, particularly switches, are often not monitored, and their logs are not usually transferred to a central monitoring system. This lack of monitoring creates significant challenges in identifying and investigating malicious activities. Sygnia recommends that organizations ensure they harden access to switches and implement their own monitoring measures.
The Velvet Ant group, operating under the auspices of China, exploits vulnerabilities in communication equipment from various global manufacturers to evade routine monitoring measures. This allows the Chinese hackers to maintain prolonged access to corporate networks while attempting to steal sensitive information for espionage. Earlier this month, Sygnia published another study detailing the hackers' methods as part of a broad forensic investigation conducted for a large organization that fell victim to the sophisticated attack.