China’s infamous Volt Typhoon group has been actively exploiting a zero-day vulnerability in Versa Networks’ Director Servers to intercept and harvest credentials for future attacks. The bug, now patched and identified as CVE-2024-39717, impacts all versions of Versa Director prior to 22.1.4 and is related to a feature that allows users to customize the graphical user interface (GUI) of the servers.
According to Dan Maier, the Chief Marketing Officer at Versa, the vulnerability can be classified as a privilege escalation bug, as attackers are harvesting credentials to obtain privileged access. Attackers typically gain initial access to Versa Director through open and available high-availability management ports 4566 and 4570 over the Internet. Maier emphasized the importance of limiting access to these ports to prevent unauthorized entry.
Researchers from Lumen Technologies’ Black Lotus Labs discovered the bug and noted that the threat actor utilized attacker-controlled small-office/home-office (SOHO) devices to access vulnerable Versa Director systems via the management ports. The exploitation of this zero-day vulnerability has been ongoing since at least June, prompting Lumen researchers to report the bug to Versa on June 21. Versa issued customer advisories with mitigations for the bug in July and August, urging organizations to upgrade to the patched software version.
Although Versa confirmed only one incident of successful exploitation, Lumen researchers revealed that the threat actor compromised at least five victims, with four based in the US. The victims include organizations in the managed service provider, Internet service provider, and IT sectors. Lumen researchers reported that the attacker deployed a bespoke Web shell named “VersaMem” to capture plaintext user credentials and monitor inbound requests to the underlying Apache Tomcat Web application server.
HackerOne, the platform through which Versa coordinated the vulnerability disclosure, rated the bug as moderately severe with a base score of 6.6 out of 10 on the CVSS scale. Versa emphasized the importance of implementing system hardening and firewall guidelines to mitigate the risk posed by the vulnerability. Michael Horka, a security researcher at Lumen’s Black Lotus, highlighted the ease of exploiting the vulnerability when management ports are exposed externally, allowing for unrestricted file upload and code execution.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-39717 to its catalog of known exploited vulnerabilities, directing federal civilian executive branch agencies to apply Versa’s mitigations by September 13 or discontinue the use of the technology. Volt Typhoon, a China-sponsored group, has been identified as one of the most dangerous nation-state actors, known for targeting US critical infrastructure. The group’s activities raise concerns over potential widespread disruption in the event of escalating geopolitical tensions.
Versa recommends customers upgrade to remedied software versions and conduct thorough checks for any exploitation of the vulnerability in their environments. Implementing system hardening measures and firewall rules is crucial to mitigate the risk posed by the CVE-2024-39717 vulnerability. As the cyber threat landscape continues to evolve, organizations must remain vigilant and proactive in safeguarding their networks against sophisticated threats.