Chinese APT group Velvet Ant deployed custom backdoor on Cisco Nexus switches
- by nlqip
The attack demonstrates the sophistication of Velvet Ant’s tactics
Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file called ufdm.so. On Linux systems .so files are shared object libraries that are loaded by other processes, while ufdm is the name of a legitimate file on NX-OS.
After creating their malicious library, the attackers replaced the legitimate ufdm file with curl, another legitimate Linux tool for downloading files and added their ufdm.so library to the LD_PRELOAD environment variable which can be used to override the location of standard libraries. They then executed the now fake/root/ufdm process, which loaded their malicious ufdm.so library into memory.
After running some commands to make sure the process is running their implant is creating the correct network connections, they delete the renamed ufdm and ufdm.so files from disk in order to cover their tracks.
Source link
lol
The attack demonstrates the sophistication of Velvet Ant’s tactics Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file…
Recent Posts
- Arm To Seek Retrial In Qualcomm Case After Mixed Verdict
- Jury Sides With Qualcomm Over Arm In Case Related To Snapdragon X PC Chips
- Equinix Makes Dell AI Factory With Nvidia Available Through Partners
- AMD’s EPYC CPU Boss Seeks To Push Into SMB, Midmarket With Partners
- Fortinet Releases Security Updates for FortiManager | CISA