Chinese APT group Velvet Ant deployed custom backdoor on Cisco Nexus switches
- by nlqip
The attack demonstrates the sophistication of Velvet Ant’s tactics
Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file called ufdm.so. On Linux systems .so files are shared object libraries that are loaded by other processes, while ufdm is the name of a legitimate file on NX-OS.
After creating their malicious library, the attackers replaced the legitimate ufdm file with curl, another legitimate Linux tool for downloading files and added their ufdm.so library to the LD_PRELOAD environment variable which can be used to override the location of standard libraries. They then executed the now fake/root/ufdm process, which loaded their malicious ufdm.so library into memory.
After running some commands to make sure the process is running their implant is creating the correct network connections, they delete the renamed ufdm and ufdm.so files from disk in order to cover their tracks.
Source link
lol
The attack demonstrates the sophistication of Velvet Ant’s tactics Based on evidence found by Sygnia on a Cisco Nexus switch compromised by Velvet Ant, the attackers first exploited the command injection flaw in order to create a file with base64-encoded content. They then issued commands to decode the contents and save it to a file…
Recent Posts
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches
- Firefox Zero-Day Under Attack: Update Your Browser Immediately
- Internet Archive hacked, data breach impacts 31 million users
- CISA says critical Fortinet RCE flaw now exploited in attacks
- Crypto-stealing malware campaign infects 28,000 people