Malicious hackers have been targeting a zero-day vulnerability in Versa Director, a software product commonly used by Internet and IT service providers. This activity has been linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and potentially disrupting communications between the United States and Asia in the event of a future armed conflict with China.
Versa Director systems are primarily utilized by Internet service providers (ISPs) and managed service providers (MSPs) catering to the IT needs of small to mid-sized businesses. Following a security advisory issued on August 26, Versa advised customers to apply a patch for the vulnerability (CVE-2024-39717), which has been addressed in Versa Director version 22.1.4 and later.
The vulnerability allowed attackers to upload a file of their choice to vulnerable systems. Versa attributed much of the responsibility to customers who failed to implement system hardening and firewall guidelines, leaving a management port exposed on the internet for threat actors to exploit.
Black Lotus Labs, the security research arm of Lumen Technologies, identified a web-based backdoor on Versa Director systems belonging to several U.S. and non-U.S. victims in the ISP and MSP sectors. The earliest known exploit activity occurred at a U.S. ISP on June 12, 2024. This discovery has raised concerns about the potential for advanced persistent threat (APT) actors to gain access to and control network infrastructure.
With a moderate level of confidence, Black Lotus Labs attributed the compromises to Volt Typhoon, noting the group’s use of zero-day attacks targeting IT infrastructure providers and Java-based backdoors that operate in memory only. This aligns with previous warnings issued by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity Infrastructure Security Agency (CISA) regarding Volt Typhoon’s activities.
In response to these developments, security experts have emphasized the need for increased vigilance and proactive measures to secure critical infrastructure networks. FBI Director Christopher Wray has highlighted China’s efforts to potentially disrupt critical infrastructure in the United States, underscoring the importance of cybersecurity defenses to mitigate these threats.
While Lumen Technologies has been actively engaged in assisting Versa in mitigating the vulnerability, some within the company expressed disappointment at not being acknowledged in Versa’s security advisory. However, efforts are ongoing to minimize the exposure of Versa systems to potential attacks and enhance overall cybersecurity defenses.
As the cybersecurity landscape continues to evolve, collaboration between industry stakeholders, government agencies, and security researchers remains crucial to addressing and mitigating emerging threats posed by sophisticated threat actors like Volt Typhoon. It is imperative for organizations to remain vigilant, update their systems regularly, and implement robust security protocols to safeguard against potential cyber attacks.