In a concerning development for cybersecurity professionals worldwide, the Chinese state-backed hacking group known as Volt Typhoon has been linked to a series of sophisticated attacks exploiting a Zero-Day vulnerability in Versa Director, a critical management platform used by Internet Service Providers (ISPs) and Managed Service Providers (MSPs).
The vulnerability, CVE-2024-39717, affects Versa Director versions 21.2.3, 22.1.2, and 22.1.3. It allows attackers with administrator privileges to upload malicious Java files disguised as PNG images, which can be executed remotely. Versa Networks has classified this as a privilege elevation flaw, as it was primarily used to harvest credentials from users logging into the system.
Researchers at Lumen's Black Lotus Labs discovered the exploit on June 17, 2024, after analyzing a suspicious file uploaded to VirusTotal. Further investigation revealed that Volt Typhoon had exploited this vulnerability since June 12, 2024.
The attack method is particularly insidious:
- Attackers gain initial access through an exposed high availability (HA) port on Versa Director systems.
- They create an account with elevated privileges.
- The vulnerability is exploited to plant a custom Java web shell dubbed "VersaMem."
- The created account is optionally deleted to cover tracks.
- VersaMem then harvests the credentials of legitimate users who subsequently log in.
The attacks have primarily targeted the IT, ISP, and MSP sectors, with at least four victims in the United States and one outside the U.S. identified. The potential for supply chain attacks is significant, as compromised MSPs could provide access to numerous downstream clients.
Cybersecurity firm Censys has identified 163 Versa Director servers exposed on the internet, eight of which are potentially vulnerable due to exposed HA ports. The geographical distribution of these vulnerable servers includes five in the U.S. and one each in China, Hong Kong, and the Czech Republic.
Volt Typhoon, also known as Bronze Silhouette, has a history of sophisticated attacks targeting critical infrastructure. Their tactics include:
Versa Networks has responded to the threat by:
- Releasing patches for affected versions of Versa Director;
- Advising customers to upgrade to version 22.1.4 or apply the latest hotfixes;
- Emphasizing the importance of following their system hardening and firewall guidelines, which have been available since 2015 and 2017, respectively.
Security experts recommend the following steps for potentially affected organizations:
- Upgrade Versa Director to the latest patched version immediately;
- Implement Versa's system hardening and firewall guidelines;
- Check for signs of compromise by inspecting the /var/versa/vnms/web/custom_logo/ folder for suspicious files;
- Review newly created accounts and restrict access to the HA ports (4566 and 4570).
This incident underscores the importance of promptly applying security patches and following vendor-provided hardening guidelines. As state-sponsored threat actors like Volt Typhoon evolve their tactics, organizations must remain vigilant and proactive in their cybersecurity measures to protect their infrastructure and data.
Follow SecureWorld News for more stories related to cybersecurity.
