Volt Typhoon, a Chinese state-sponsored hacking group, has been discovered exploiting a zero-day vulnerability in Versa Director servers, used by managed service providers and internet service providers.
CVE-2024-39717 was added to CISA’s “Catalog of Known Exploited Vulnerabilities” on August 23 after Lumen Technologies discovered its active exploitation.
Censys data shows that 163 devices in the United States, the Philippines, Shanghai and India remain exposed, despite Versa Networks releasing a patch for Versa Director versions 21.2.3, 22.1.2 and 22.1.3. The security firm urged users of these devices to segment them into a protected network and isolate them from the internet.
Why did cybercriminals attack Versa Director servers?
Versa Director servers allow MSPs and ISPs to centrally manage network configurations for devices running SD-WAN software. They are a popular target for hackers because they can be used to exploit multiple systems.
Due to the potential for a large-scale attack, Versa Networks has given the vulnerability a “high severity” rating, although it is relatively difficult to exploit.
CVE-2024-39717 affects all versions of Versa Director prior to 22.1.4. Cybercriminals exploited it using a custom web shell that Black Lotus Labs, the cyber research division of Lumen Technologies, calls “VersaMem.” The web shell intercepts credentials that attackers can use to gain authorized access to other users’ networks.
According to its vulnerability report, Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Typhoon with “moderate confidence.” It also stated that it is “likely that attacks are occurring against unpatched Versa Director systems.”
WATCH: Microsoft warns of Typhoon Volt, the latest salvo in global cyberwar
Versa maintains that there has only been one confirmed case of exploitation by an advanced persistent threat actor. It also stated that the customer “had not implemented system and firewall hardening guidelines” published in 2017 and 2015, respectively, meaning that a management port was left exposed. This port provided the threat actor with initial access without needing the Versa Director graphical user interface.
However, the Black Lotus Labs team says it has identified threat actors exploiting the vulnerability at four US companies and one non-US company across the ISP, MSP and IT sectors since June 12. Versa has said the cases based on observations from a third-party vendor are “unconfirmed to date.”
In their report, the analysts wrote: “Threat actors gain initial administrative access via an exposed Versa management port intended for high availability (HA) pairing of Director nodes, leading to exploitation and deployment of the VersaMem web shell.”
CISA recommends that all vulnerabilities listed in the Catalog of Known Exploited Vulnerabilities be promptly remediated as part of the enterprise's vulnerability management practice.
How can CVE-2024-39717 be exploited?
The CVE-2024-39717 vulnerability allows authenticated users with high-level privileges to upload malicious files, sometimes disguised as images, which can then execute malicious code. Once exploited, the vulnerability can be used to gain unauthorized access and escalate privileges.
The Volt Typhoon threat actors gained privileged access to Versa Director by exploiting an exposed Versa management port, intended for high-availability bonding of Director nodes. They then deployed a custom web shell on the Apache Tomcat web server, giving them remote control, before using memory injection techniques to inject malicious code into legitimate Tomcat processes. Such injected code allowed them to execute commands and control the compromised system while blending in with normal traffic.
Finally, they modified Versa’s “setUserPassword” authentication functionality to intercept and capture client credentials in plain text, which they could then use to compromise the client’s infrastructure.
The web shell was also used to intercept Tomcat's “doFilter” request filtering feature and intercept incoming HTTP requests. Threat actors can then inspect them for sensitive information or dynamically load Java modules into memory.
Who is Volt Typhoon?
Volt Typhoon is a Chinese state-sponsored hacking group that has carried out hundreds of attacks on critical infrastructure since it began operating in mid-2021. In May 2023, Microsoft published a warning about the group, stating that it used data extraction and cyber-espionage techniques that “live off the land.”
In December 2023, an FBI investigation uncovered a wide-ranging botnet attack by the gang, created from hundreds of private routers across the United States and its overseas territories. The following month, Justice Department investigators said the malware had been removed from the affected routers, thereby neutralizing the botnet.
Recommendations for protecting Versa Director servers
Versa Networks and Lumen Technologies make a number of recommendations to users of Versa Director servers:
- Patch immediately: Patches are available for versions 21.2.3, 22.1.2, and 22.1.3.
- Apply hardening best practices: Versa Networks recommends following their firewall and system hardening requirements.
- Check if the vulnerability has already been exploited:
a) Inspect “/var/versa/vnms/web/custom_logo/” for suspicious files. Run the command “file -b –mime-type <.png file="">” to report the file type as “image/png”.
b) Look for interactions with port 4566 on Versa Director servers from non-Versa node IP addresses (e.g. SOHO devices).
c) Check for newly created user accounts and other abnormal files.
d) Review existing accounts, records, and credentials and triage any lateral movement attempts if indicators of compromise are detected. - Block external access to ports 4566 and 4570: Ensure that ports are only open between the active and standby Versa Director nodes for HA peering traffic. Read the customer support article named Versa Director HA Port Exploit – Discovery and Remediation.
For more technical information, indicators of compromise, and recommendations, see Black Lotus Labs’ report and YARA’s rules for threat hunting.
