CyberWire Daily - Velvet Ant's silent invasion. [Research Saturday]
Episode Date: November 2, 2024This week, we are joined by, Amnon Kushnir from Sygnia, who is sharing their work on "China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches." In earl...y 2024, Sygnia observed the ‘Velvet Ant’ threat group exploiting a zero-day vulnerability (CVE-2024-20399) to infiltrate Cisco Switch appliances and operate undetected within enterprise networks. This attack enables threat actors to escape Cisco’s command interface and install malware directly on the device’s OS, bypassing standard security tools. The incident underscores the risks posed by third-party appliances and the importance of enhanced monitoring and threat detection to counter advanced persistent threats. The research can be found here: China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
What started as an incident with another threat actor evolved into another incident with another
threat actor in the same environment. So it was an interesting turn of events, I would say.
That's Amnon Kushner, Director of Incident Response at Signia.
The research we're discussing today is titled
China Nexus Threat Group Velvet Ant Leverages a Zero Day
to Deploy Malware on Cisco Nexus switches.
And then we came across VelvetAnt as part of our post-British monitoring and research.
Interesting. Well, let's start with some descriptions here. Who is VelvetAnt and where do you suppose they're coming from? but the indications seem to be that way,
since we've seen some usage of IP addresses
that are correlated with Plagix and the Shadowpad,
which are known to be used by Chinese Nexus threat actors.
I see.
And who do they seem to be targeting here?
Okay, so in terms of the client, of course, we cannot disclose them
due to confidentiality that we are keeping with
our clients. But I can say that they are a large
corporate, and their main goal of VelvetAnt
is espionage.
Well, let's dig into some of the tactics, techniques, and procedures here.
How does someone find themselves in the crosshairs of VelvetAnt?
Okay, so VelvetAnt, one of the things that characterizes this threat actor
is the adaptability.
So they will do whatever it takes in order to resume their operations
and to increase the level of evasiveness throughout the operations
if they are being detected.
So maybe a quick brief about the history with Velveteint.
So Velveteint was first discovered since they operated on some Windows devices
that were up to date.
And we were able to detect them using their tools,
which was Plagix and Shadowpad.
And later on, they shifted their operation
towards network devices and legacy Windows servers that are not updated
and does not support many modern EDRs.
And after we've detected them moving their operations towards there,
targeting specifically legacy F5 load balancers,
and we published this as the first blog post about VelvetAnt,
basically exposing them for the first time.
They also shifted the operation towards Cisco Nexus switch devices
in order to be even more evasive on that sense.
So they do have the ability to adapt and they are very sophisticated
to operate from legacy F5 load balancers and the ability to exploit a zero-day on Cisco devices
Cisco devices is something that we call it using the big guns.
And this is definitely escalation in terms of the evasiveness and sophistication. And this is all to have the operation up and running.
Well, your research goes into quite some detail about how they go after this Cisco switch appliance.
Can you share some of the details there? What exactly did they do?
Yes. So if we're taking into consideration the operation on the Cisco Nexus switch devices. So we've seen them basically leveraging
a zero-day exploitation of the type of command ejection
in order to shift between the NXOS level,
which is the Cisco operating system,
towards the Linux underlay.
The way that the Cisco Nexus switch devices are built,
and specifically the N7K in that case,
is that there is the OS level that Cisco provides,
which the user interacts in order to manage the switch,
which is called the NXOS.
And then there is the Linux underlay,
which is running this NXOS.
And what they did is using Zero Day in order to,
you can call it either jailbreak or escape
the context of the NXOS,
and then be able to execute code freely on the Linux underlay.
After they achieved this capability
to execute code on the Linux level,
then they deployed a malware that is comprised of
two open-source tools in order to have the ability to,
A, perform a remote code execution
without the need of authenticating to the Nexus device,
and B, to tunnel their traffic from or via the Nexus device itself.
This is the high level of it.
And when we are talking about the malware itself,
as we call it a Velvet Shell insignia,
this is a malware that's comprised of these two open source tools.
One is called Tiny Shell, and the other is called Tree Proxy.
And the version of Tiny Shell that Velvet Ant utilizes is a specific version,
not the most popular one,
but it is a version that supports, I would say,
tampering the history log files in the Linux layer.
So basically, whenever they will execute a command
via the malware, it will not be recorded on the Linux.
So it's another way of keeping the operation
hidden from eyesight.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And how sophisticated would you say this group is?
So I would say that they are very sophisticated.
And given the fact that they will utilize
the zero-day on a Nexus device,
which is something that is very uncommon,
we need to say here that the Nexus device
or Nexus switch device is not the day-to-day switch
that you will have in your home.
This is core switch of data centers.
It will not be found in your office or in your home,
only on data centers, mainly on data centers.
And the fact that they thought about moving their operations
to be originating or going through these areas
will allow them not only the superiority
in order to access many different segments in the network,
but to be very evasive
since the traffic is generated from the switch itself
and not from a device can be quite confusing
for teams that are investigating such activity.
Once they are able to have access
to one of these Cisco devices,
can you give us an idea of the spectrum
of capabilities they have?
What sorts of things are they able to do
to exfiltrate data?
Yes, so after they are compromising a switch device,
they are implementing this Velvet Shell malware
in order to, A, execute commands on the switch itself
in order to have more reconnaissance
in terms of the network segments,
and then to tunnel their traffic into in terms of the network segments,
and then to tunnel the traffic
into other areas in the network.
From there, they can either try to compromise other machines
or devices in the network in order to collect data from them
or even have another stronghold in the network,
or even have another stronghold in the network,
or they can access all kinds of potential objectives that they have in the application level
and generate such traffic.
So what are your recommendations
for organizations to best protect themselves?
So since here we are talking about
something that is not traditionally monitored,
such Nexus devices,
mainly these kind of devices are monitored
for the IT manners.
For example, for the utilization of the device
and making sure that it's healthy.
But here we are talking about
monitoring it for the security purposes.
So in order to monitor, what we implemented is two-way monitoring. One of them is the
NetFlow protocol that Cisco provides that can be enabled on the switch level. And the other thing is sending syslog of logs that are needed to be increased.
In the default manner, they are not configured.
Usually, they are not configured properly.
And then you need to raise the level of auditing,
for example, to AAA level 6,
and then forward it into a SIEM solution or to centralize
the place in order to monitor for
suspicious commands that are being executed on the device itself.
And this is specific about the Cisco Nexus switch. As I mentioned, since they are
trying to escape the NXOS and going into the Linux, if you are suspecting that the switch is
or was indeed compromised, then you will have to go via Cisco in order to get their support to extract the logs
from the device or from the Linux level itself. This is what, by the way, what we did. And Cisco
helped us to collect the artifacts from the Linux level. And then this is the way that we have
discovered the Velvet Shell. So I would say to keep an eye on what's happening with the NXOS layer, and then
if there is a suspicion, to escalate it to Cisco
or to Signia. We can also assist in that sense.
I mean, it sounds like it's quite likely that organizations
could go quite a long time without having
any suspicion that they had an issue here.
If everything's working the way that it's supposed to,
and VelvetAnt is preventing things from being logged the way that they typically are,
there's not a whole lot of red flags indicating that you have a problem.
Correct. So it all starts with a good visibility on the network
and periodic threat hunts.
This is also important in order to make sure that
we're not missing anything in the day-to-day routines.
So from time to time, we do recommend to do periodic threat hunts
that focus on different areas on the network that might be relevant as ground jewels.
Or let's say in the case of Velvet Hunt for espionage.
And then to try to scope a specific threat hunt that will these all kinds of scenarios that shouldn't be
occurred. For example, in the case of
detecting a velvet ant operating from the
Cisco Nexus switch,
we had different means of monitoring
in other places in the network,
and therefore we were able to cut this very unusual activity.
All right.
Well, I think I have everything I need for our story here.
Is there anything I missed,
anything I haven't asked you that you think it's important to share?
So just maybe a word for the public.
We believe that Insignia, we believe that sharing is caring.
And this is a very, I would say, effective way to fight cybercrime around the world.
And this is why we are also sharing whatever we can about Velvetant
and other threat actors in general.
So we really encourage the rest of the community
to follow this standard.
And if you have any suspicion
that Velvetant is targeting you or have seen any of these IOCs,
we really recommend to contact us since we have the
expertise and knowledge with Velvetant and similar actors.
Our thanks to Amnon Kushnier from Signia for joining us. Thank you. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter.
Learn how at N2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.