BACK TO NEWS
Breaking News

Cisco Fixes Critical Vulnerability Exploited by Chinese APT Group in Wild Attacks

2 min readSource: SecurityWeek

Cisco releases patches for CVE-2024-20399, a zero-day flaw actively exploited by Chinese threat actor UAT-9686 to deploy AquaShell backdoor on exposed appliances.

Cisco Addresses Zero-Day Exploited by Chinese Threat Actor

Cisco has released security updates to patch a critical vulnerability (CVE-2024-20399) that was actively exploited in the wild by a Chinese advanced persistent threat (APT) group identified as UAT-9686. The flaw was leveraged to deploy the AquaShell backdoor on vulnerable Cisco appliances with specific internet-exposed ports.

Technical Details

The vulnerability, tracked as CVE-2024-20399, affects Cisco appliances running vulnerable software versions. While Cisco has not disclosed full technical specifics, the flaw was exploited to gain unauthorized access and execute arbitrary commands. The AquaShell backdoor, a lightweight malware strain, was subsequently deployed to maintain persistence and facilitate further compromise.

The attack vector required certain ports to be exposed to the internet, highlighting the risks of improper network segmentation and misconfigured perimeter defenses.

Impact Analysis

The exploitation of CVE-2024-20399 by UAT-9686 underscores the ongoing threat posed by state-sponsored actors targeting network infrastructure. The AquaShell backdoor enables threat actors to:

  • Execute remote commands on compromised systems
  • Exfiltrate sensitive data
  • Establish a foothold for lateral movement within networks

Given the widespread use of Cisco appliances in enterprise and government environments, the vulnerability poses a significant risk to organizations with exposed devices.

Recommendations

Cisco has urged customers to immediately apply the available patches to mitigate the risk of exploitation. Security teams should also:

  • Audit network configurations to ensure no unnecessary ports are exposed to the internet
  • Monitor for signs of compromise, including unusual command executions or network traffic
  • Review logs for indicators of AquaShell activity, such as anomalous process executions or connections to known command-and-control (C2) servers

Organizations are advised to follow Cisco’s security advisory for detailed patching instructions and additional mitigation guidance.

For further analysis, refer to the original report by SecurityWeek.

Share

TwitterLinkedIn