China’s Volt Typhoon exploits Versa zero-day to hack US ISPs and IT firms

State-sponsored Chinese hackers exploited a zero-day vulnerability in Versa Director, a software platform for managing SD-WAN infrastructure used by internet service providers (ISPs) and managed service providers (MSPs). The group, known in the security industry as Volt Typhoon, has targeted US critical infrastructure organizations in the past.

“Black Lotus Labs has observed the zero-day exploitation of Versa Director servers, now assigned CVE-2024-39717, dating back to at least June 12, 2024,” researchers with Lumen Technologies’ Black Lotus Labs team wrote in a report. “This exploitation campaign has remained highly targeted, affecting several U.S. victims in the ISP, MSP and IT sectors.”

Versa Networks, developer of Versa Director and other SD-WAN and SASE products, patched the CVE-2024-39717 vulnerability this week, but it alerted customers to review their firewall requirements on July 26 and informed them about the actively exploited flaw on August 9.

“Although the vulnerability is difficult to exploit, it’s rated ‘High’ and affects all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines,” the company wrote in an advisory released Monday.

The company also added that firewall and system hardening guidelines have been available since 2015 and 2017 respectively and would have prevented exploitation of this flaw. The impacted systems had a management port exposed on the internet that provided the threat actors with initial access, the company said.

Dangerous file type upload leads to web shell

The vulnerability allows attackers to upload malicious files to the underlying Tomcat Java web server that hosts the Versa Director software, leading to privilege escalation. Volt Typhoon used it to upload a web shell — a web script that provides backdoor access to a web server.

Black Lotus Labs has dubbed Volt Typhoon’s web shell as VersaMem because it injects malicious code into the memory of Tomcat server process by leveraging the Java Instrumentation API and the Javassist Java bytecode manipulation toolkit.

The goal of the web shell is to steal plaintext credentials of Versa users by hooking into Versa’s built-in “setUserPassword” authentication method. It is also capable of dynamically loading in-memory Java modules and receiving commands by monitoring for special parameters in web requests sent to the Tomcat server. Credentials captured by the web shell are stored locally in a temporary file and can potentially enable attacks to access and compromise other downstream client infrastructure.

The attackers gained initial privileged access by connecting to the exposed Versa management interface on TCP port 4566 from compromised SOHO routers. This port is normally used for​​ Versa Director node pairing so there should be no communication on it from unknown IP addresses or other devices.

“We assess the short timeframe of TCP traffic to port 4566 immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g. SOHO device) as a likely signature of successful exploitation,” the Black Lotus Labs researchers wrote.

By using Lumen’s global telemetry, the researchers managed to identify four likely victims in the US and one outside of the US. The victims were from the ISP, MSP, and IT sectors.

The researchers also located a variant of VersaMem uploaded to the VirusTotal scanning engine on June 7, five days before the earliest known exploitation. The file was called VersaTest.png, was uploaded from an IP in Singapore, and had zero detections from the engines on VirusTotal.

Detection and mitigation

In addition to deploying the released patches and applying the firewall and system hardening guidelines, the researchers advise users to search the Versa webroot directory recursively for files that have a .png extension but are not actually valid PNG files. Running the command “file -b –mime-type <.png file>” should report “image/png” as the file type.

If they find signs of potential compromise, users should also audit Versa user accounts, including downstream customer accounts. They should also rotate credentials and should review all available logs. Lumen has published a list of indicators of compromise and YARA detection rules on GitHub.

“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” the researchers wrote.

In February, the US National Security Agency, the Federal Bureau of Investigation, and the US Cybersecuity and Infrastructure Security Agency (CISA) issued a joint advisory on Volt Typhoon alerting organizations that the group infiltrated the IT networks of organizations from the communications, energy, transportation, water, and wastewater management sectors.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the agencies warned. “The US authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”