A Chinese state-sponsored hacking group has been observed using a zero-day exploit to infiltrate internet service providers (ISPs), managed service providers (ISPs) and IT sectors since at least June 12, 2024.
Lumen’s Black Lotus Labs believes the group, tracked as Volt Typhoon and Bronze Silhouette, was observed using the vulnerability, labelled as CVE-2024-39717, to breach organizations in the wild.
The vulnerability utilizes a complex process to inject malicious code into Versa Director servers, allowing the attacker to steal credentials in plaintext, “potentially enabling downstream compromises of client infrastructure through legitimate credential use,” Black Lots Labs said.
Breaching US ISPs
Versa Director servers are used by ISPs and MSPs to manage network configurations on software-defined wide area network (SD-WAN) software. The attackers used a custom JAR web shell – labeled “VersaMem” by Black Lotus Labs – that employs Java instrumentation and Javassist to inject code into the Tomcat web server process memory space on the victims Versa Director servers.
The web shell, named “VersaTest.png” and uploaded to VirusTotal on June 7, 2024, does not have any antivirus detections at time of writing, and can still be used to exploit unpatched Versa Director servers. So far, the vulnerability has been used to attack four victims within the US, and one non-US victim.
Douglas McKee, executive director, threat research at SonicWall, commented on the attack, stating, “The recent exploitation of a zero-day vulnerability in the Versa Director software by the Chinese state-backed hacking group Volt Typhoon highlights the critical importance of vulnerability research and product security testing. This attack, which targeted U.S. ISPs and MSPs, underscores how undiscovered and therefore unpatched vulnerabilities can be leveraged by sophisticated threat actors to infiltrate and compromise critical infrastructure. By performing third-party vulnerability research and internal product security testing, organizations can identify and mitigate these weaknesses before they are exploited.”
Black Lotus Labs recommends those concerned about compromise of Versa Director servers within their network to upgrade to version 22.1.4 or later and keep an eye out for the following indicators of compromise (IOCs):
- Searching for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g. SOHO devices).
- Searching the Versa webroot directory (recursively) for files ending with a “.png” extension that are not valid PNG files.
- Checking for newly created user accounts and other abnormal files.
- Auditing user accounts, reviewing system/application/user logs, rotating credentials, analyzing downstream customer accounts and triaging lateral movement attempts if any indications of compromise are identified, or the management ports 4566 or 4570 were exposed for any period of time.
Further recommendations can be found on the Black Lotus Labs blog.