A Chinese state-sponsored hacking group has been observed using a zero-day exploit to infiltrate Internet Service Providers (ISPs), Managed Service Providers (MSPs), and IT sectors since at least June 12, 2024.
Black Lotus Laboratories by Lumen The group, identified as Volt Typhoon and Bronze Silhouette, is believed to have been observed using the vulnerability, labeled CVE-2024-39717to violate organizations in the wild.
The vulnerability uses a complex process to inject malicious code into Versa Director servers, allowing the attacker to steal credentials in plain text, “potentially enabling subsequent compromises of customer infrastructure through legitimate use of credentials,” Black Lots Labs said.
US ISP Violations
Versa Director servers are used by ISPs and MSPs to manage network configurations in software-defined wide area networking (SD-WAN) software. The attackers used a custom JAR web shell, dubbed “VersaMem” by Black Lotus Labs, that employs Java instrumentation and Javassist to inject code into the memory space of the Tomcat web server process on the victims’ Versa Director servers.
The web shell, named “VersaTest.png” and uploaded to VirusTotal on June 7, 2024, has no antivirus detection at the time of writing and can still be used to exploit unpatched Versa Director servers. So far, the vulnerability has been used to attack four victims inside the US and one victim outside the US.
Douglas McKee, executive director of threat research at SonicWall, commented on the attack: “The recent exploitation of a zero-day vulnerability in Versa Director software by Chinese state-backed hacking group Volt Typhoon highlights the critical importance of vulnerability research and product security testing. This attack, which targeted US ISPs and MSPs, underscores how sophisticated threat actors can leverage undiscovered and therefore unpatched vulnerabilities to infiltrate and compromise critical infrastructure. By conducting third-party vulnerability research and internal product security testing, organizations can identify and mitigate these weaknesses before they are exploited.”
Black Lotus Labs recommends that those concerned about a compromised Versa Director servers within their network upgrade to version 22.1.4 or later and watch for the following indicators of compromise (IOCs):
- Search for interactions with port 4566 on Versa Director servers from non-Versa node IP addresses (e.g. SOHO devices).
- Searching the Versa webroot directory (recursively) for files ending with a “.png” extension that are not valid PNG files.
- Checking for newly created user accounts and other abnormal files.
- Audit user accounts, review system/application/user logs, rotate credentials, analyze subsequent client accounts, and triage lateral movement attempts if indications of compromise are identified or if management ports 4566 or 4570 were exposed for any period of time.
You can find more recommendations on the Black Lotus Labs blog.