Since at least June 12, 2024, a Chinese state-sponsored hacking group has been observed using a zero-day exploit to infiltrate internet service providers (ISPs), managed service providers (ISPs), and the IT sector.
Black Lotus Labs by Lumen believes the group, tracked as Volt Typhoon and Bronze Silhouette, was observed using the vulnerability, labeled as CVE-2024-39717to plunder organizations in the wild.
The vulnerability uses a complex process to inject malicious code into Versa Director servers, allowing the attacker to steal cleartext credentials, “potentially enabling downstream compromise of client infrastructure through legitimate use of credentials,” according to Black Lots Labs.
US ISPs Violate
Versa Director servers are used by ISPs and MSPs to manage network configurations on software-defined wide area network (SD-WAN) software. The attackers used a custom JAR web shell – labeled “VersaMem” by Black Lotus Labs – that leverages Java instrumentation and Javassist to inject code into the Tomcat web server process memory space on victims’ Versa Director servers.
The web shell, named “VersaTest.png” and uploaded to VirusTotal on June 7, 2024, has no antivirus detections at the time of writing and can still be used to exploit unpatched Versa Director servers. So far, the vulnerability has been used to attack four victims inside the US and one victim outside the US.
Douglas McKee, executive director, threat research at SonicWall, commented on the attack, saying: “The recent exploitation of a zero-day vulnerability in the Versa Director software by Chinese state-sponsored hacking group Volt Typhoon highlights the critical importance of vulnerability research and product security testing. This attack, targeting U.S. ISPs and MSPs, underscores how undiscovered, and therefore unpatched, vulnerabilities can be abused by advanced threat actors to infiltrate and compromise critical infrastructure. By conducting third-party vulnerability research and internal product security testing, organizations can identify and mitigate these weaknesses before they are exploited.”
Black Lotus Labs advises those concerned about a compromise of Versa Director servers within their network to upgrade to version 22.1.4 or later and watch for the following indicators of compromise (IOCs):
- Search for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g. SOHO devices).
- Search the Versa webroot directory (recursively) for files ending with a “.png” extension that are not valid PNG files.
- Check for newly created user accounts and other anomalous files.
- Auditing user accounts, reviewing system/application/user logs, rotating credentials, analyzing downstream customer accounts, and triaging lateral movement attempts if there are indications of a compromise or if management ports 4566 or 4570 have been exposed for a period of time.
Further recommendations can be found on the Black Lotus Labs blog.