Malicious hackers exploit zero-day vulnerability in Versa Directora software product used by many Internet and computer service providers. Researchers believe this activity is related to Volt Typhoona Chinese cyber espionage group whose goal is to infiltrate critical U.S. networks and lay the foundation for the ability to disrupt U.S.-Asia communications during any future armed conflict with China.
Image: Shutterstock.com
Versa Director systems are primarily used by Internet Service Providers (ISPs) as well as Managed Service Providers (MSPs) that simultaneously serve the IT needs of many small and medium-sized businesses. In a security advisory released on August 26, Versa urged its customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is addressed in Versa Director 22.1.4 or later.
According to Versa, the flaw allows attackers to upload a file of their choosing to vulnerable systems. The advisory places much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines… leaving a management port exposed to the Internet that provided the threat actors with initial access.”
Versa’s advisory does not specify how it learned of the zero-day, but its vulnerability listing on mitre.org acknowledges that “there are reports of other vulnerabilities based on third-party vendor backend telemetry observations, but these are unconfirmed at this time.”
These third-party reports arrived in late June 2024 from Michel HorkaSenior Information Security Engineer at Black Lotus Laboratoriesthe security research branch of Lumen Technologieswhich operates one of the largest backbone networks of the global Internet.
In an interview with KrebsOnSecurity, Horka said that Black Lotus Labs identified a web-based backdoor on Versa Director systems belonging to four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the first known exploit activity occurring at a U.S. ISP on June 12, 2024.
“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors who would like to view or control network infrastructure at scale, or pivot to additional (or downstream) networks of interest,” Horka wrote in a blog post published today.
Black Lotus Labs said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting that the intrusions bear hallmarks of the Chinese state-sponsored espionage group — including zero-day attacks targeting IT infrastructure providers and Java-based backdoors that run only in memory.
In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and the Cybersecurity Infrastructure Security Agency (CISA) has issued a joint warning (PDF) regarding Typhoon Volt, also known as “Bronze silhouette” And “Insidious Bull”, which describes how the group uses small office/home office (SOHO) network devices to mask its activity.
In early December 2023, Black Lotus Labs published its findings on “KV Botnet”, thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.
In January 2024, the United States Department of Justice revealed that the FBI conducted a court-authorized takedown of the KV botnet shortly before Black Lotus Labs released its December report.
In February 2024, CISA again joined the FBI and NSA in warning that Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations—primarily in the communications, energy, transportation, and water and wastewater sectors—in the continental and non-continental United States and its territories, including Guam.
“Volt Typhoon’s targeting and behavioral pattern are not consistent with traditional cyber espionage or intelligence gathering operations, and U.S. authoring agencies assess with high confidence that Volt Typhoon actors are prepositioning themselves on IT networks to enable lateral movement to OT (operational technology) assets to disrupt functions,” the alert warns.
In a speech at Vanderbilt University in April, FBI Director Christopher Wray He said China is developing “the capability to physically wreak havoc on our critical infrastructure at a time of its choosing” and that China’s plan is to “strike civilian infrastructure in an attempt to cause panic.”
Ryan EnglishLumen security engineer, said it was disappointing that his employer didn’t get at least an honorable mention in the Versa security advisory. He was, however, pleased that there are now far fewer Versa systems exposed to the attack.
“Lumen has been very close to its leadership over the last nine weeks in an effort to help them mitigate this situation,” English said. “We’ve given them everything we can along the way, so it’s a bit of a shame to be referred to as just a third party.”
