In a concerning development for cybersecurity professionals worldwide, the Chinese state-backed hacking group known as Volt Typhoon has been linked to a series of sophisticated attacks exploiting a Zero-Day vulnerability in Versa Director, a critical management platform used by Internet Service Providers (ISPs) and Managed Service Providers (MSPs).
The vulnerability, CVE-2024-39717, affects Versa Director versions 21.2.3, 22.1.2, and 22.1.3. It allows attackers with administrator privileges to upload malicious Java files disguised as PNG images, which can be executed remotely. Versa Networks has classified this as a privilege elevation flaw, as it was primarily used to harvest credentials from users logging into the system.
Researchers at Lumen's Black Lotus Labs discovered the exploit on June 17, 2024, after analyzing a suspicious file uploaded to VirusTotal. Further investigation revealed that Volt Typhoon had exploited this vulnerability since June 12, 2024.
The attack method is particularly insidious:
The attacks have primarily targeted the IT, ISP, and MSP sectors, with at least four victims in the United States and one outside the U.S. identified. The potential for supply chain attacks is significant, as compromised MSPs could provide access to numerous downstream clients.
Cybersecurity firm Censys has identified 163 Versa Director servers exposed on the internet, eight of which are potentially vulnerable due to exposed HA ports. The geographical distribution of these vulnerable servers includes five in the U.S. and one each in China, Hong Kong, and the Czech Republic.
Volt Typhoon, also known as Bronze Silhouette, has a history of sophisticated attacks targeting critical infrastructure. Their tactics include:
Versa Networks has responded to the threat by:
Security experts recommend the following steps for potentially affected organizations:
This incident underscores the importance of promptly applying security patches and following vendor-provided hardening guidelines. As state-sponsored threat actors like Volt Typhoon evolve their tactics, organizations must remain vigilant and proactive in their cybersecurity measures to protect their infrastructure and data.
Follow SecureWorld News for more stories related to cybersecurity.