Volt Typhoon Hackers Exploit Zero-Day Vulnerability in Versa Director Servers Used by MSPs, ISPs
Volt Typhoon, a Chinese state-sponsored hacking group, has been caught exploiting a zero-day vulnerability in Versa Director servers, used by managed service providers and internet service providers.
CVE-2024-39717 was added to CISA’s “Known Exploited Vulnerabilities Catalog” on Aug. 23 after Lumen Technologies discovered its active exploitation.
Data from Censys shows that there are 163 devices in the U.S., Philippines, Shanghai, and India that are still exposed, despite Versa Networks releasing a patch for Versa Director versions 21.2.3, 22.1.2, and 22.1.3. The security company urged users of these devices to segment them into a protected network and isolate them from the internet.
Why cybercriminals targeted Versa Director servers
Versa Director servers enable MSPs and ISPs to centrally manage network configurations for devices running SD-WAN software. They present a popular target for hackers because they can be used to exploit multiple systems.
Because of the potential for a large-scale attack, the vulnerability has been given a ‘’high-severity’ rating by Versa Networks, even though it is relatively difficult to exploit.
CVE-2024-39717 affects all Versa Director versions prior to 22.1.4. Cybercriminals exploited it using a custom-tailored web shell that Black Lotus Labs, the cyber research arm of Lumen Technologies, is calling “VersaMem.” The web shell intercepts credentials that attackers can then use to gain authorised access to other user networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Typhoon with “moderate confidence,” according to their vulnerability report. It also said that attacks are “likely ongoing against unpatched Versa Director systems.”
SEE: Microsoft warns of Volt Typhoon, latest salvo in global cyberwar
Versa maintains that there has only been one confirmed instance of its exploitation by an Advanced Persistent Threat actor. It also said that the customer had “failed to implement system hardening and firewall guidelines” published in 2017 and 2015, respectively — meaning a management port was left exposed. This port provided the threat actor with initial access without needing the Versa Director GUI.
However, the Black Lotus Labs team says it has identified threat actors exploiting the vulnerability at four U.S. companies and one non-U.S. company in the ISP, MSP, and IT sectors since June 12. Versa has said that instances based on the observations of a third-party provider are “unconfirmed to date.”
In their report, the analysts wrote: “The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.”
CISA recommends that all vulnerabilities included in the Known Exploited Vulnerabilities Catalog are remediated quickly as part of the company’s vulnerability management practice.
How can CVE-2024-39717 be exploited?
CVE-2024-39717 allows authenticated users with high-level privileges to upload malicious files, sometimes disguised as images, which can then execute harmful code. Once exploited, the vulnerability can be used to gain unauthorised access and escalate privileges.
The Volt Typhoon threat actors gained privileged access to Versa Director by exploiting an exposed Versa management port intended for high-availability pairing of Director nodes. They then deployed a custom web shell on the Apache Tomcat web server, giving them remote control, before using memory injection techniques to insert malicious code into legitimate Tomcat processes. Such injected code allowed them to run commands and control the compromised system while blending in with normal traffic.
Finally, they modified Versa’s “setUserPassword” authentication functionality to intercept and capture client credentials in plaintext, which they could then use to compromise client infrastructure.
The web shell was also used to hook Tomcat’s ‘doFilter’ request filtering functionality and intercept inbound HTTP requests. The threat actors can then inspect them for sensitive information or dynamically load in-memory Java modules.
Who is Volt Typhoon?
Volt Typhoon is a Chinese state-sponsored hacking group that has conducted hundreds of attacks on critical infrastructure since it became active in mid-2021. In May 2023, Microsoft released a warning about the group that stated it used “living off the land” data extraction and cyber espionage techniques.
In December 2023, an FBI investigation uncovered a wide-ranging botnet attack by the gang, created from hundreds of privately-owned routers across the U.S. and its overseas territories. The following month, Department of Justice investigators said that the malware has been deleted from affected routers, neutralising the botnet.
Recommendations for protecting Versa Director servers
Versa Networks and Lumen Technologies both make a number of recommendations to users of Versa Director servers:
- Patch immediately: Patches for versions 21.2.3, 22.1.2, and 22.1.3 are available.
- Apply hardening best practices: Versa Networks recommends following its Firewall and System Hardening requirements.
- Check to see if the vulnerability has already been exploited:
a) Inspect “/var/versa/vnms/web/custom_logo/” for any suspicious files. Run the command “file -b –mime-type <.png file>” to report the file type as “image/png.”
b) Search for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g., SOHO devices).
c) Check for newly created user accounts and other abnormal files.
d) Review existing accounts, logs, and credentials and triage any lateral movement attempts if indicators of compromise are detected. - Block external access to ports 4566 and 4570: Ensure the ports are only open between the active and standby Versa Director nodes for HA-pairing traffic. Read the customer support article named Versa Director HA Port Exploit – Discovery and Remediation.
For more technical information, indicators of compromise, and recommendations, see the report from Black Lotus Labs and YARA rules for threat hunting.
Source link