Chinese APT group Velvet Ant deployed custom backdoor on Cisco Nexus switches
- by nlqip
The attack demonstrates the sophistication of Velvet Ant’s tactics
Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file called ufdm.so. On Linux systems .so files are shared object libraries that are loaded by other processes, while ufdm is the name of a legitimate file on NX-OS.
After creating their malicious library, the attackers replaced the legitimate ufdm file with curl, another legitimate Linux tool for downloading files and added their ufdm.so library to the LD_PRELOAD environment variable which can be used to override the location of standard libraries. They then executed the now fake/root/ufdm process, which loaded their malicious ufdm.so library into memory.
After running some commands to make sure the process is running their implant is creating the correct network connections, they delete the renamed ufdm and ufdm.so files from disk in order to cover their tracks.
Source link
lol
The attack demonstrates the sophistication of Velvet Ant’s tactics Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’