In a recent series of cyber attacks, the Chinese nation-state threat group Volt Typhoon has been found to have exploited a zero-day vulnerability in Versa Networks’ SD-WAN software, as reported by Lumen Technologies’ Black Lotus Labs. The flaw, identified as CVE-2024-39717, is a high-severity privilege escalation issue in the Versa Director software, allowing attackers to upload malicious files with administrator-level privileges.
According to researchers at Black Lotus Labs, telemetry data revealed exploitation of the vulnerability as early as June 12, with the activity linked to Volt Typhoon, a notorious hacking group associated with the Chinese government. This group has a history of targeting critical infrastructure organizations in the United States, as confirmed by the Cybersecurity and Infrastructure Security Agency (CISA).
The researchers at Black Lotus Labs discovered a unique web shell, named ‘VersaMem,’ which was specifically designed to exploit the CVE-2024-39717 vulnerability. This web shell’s primary function is to intercept and gather credentials that could provide unauthorized access to downstream customers’ networks.
The zero-day attacks orchestrated by Volt Typhoon impacted four U.S. organizations and one non-U.S. organization in the ISP, MSP, and IT sectors, as outlined in the Lumen report. The attackers utilized small office/home office routers under their control to carry out the exploitation, a tactic previously employed by Volt Typhoon in other attacks.
Versa Networks acknowledged the exploitation of the vulnerability by an Advanced Persistent Threat actor, with the targets mainly being managed service providers (MSPs). According to Dan Maier, CMO at Versa Networks, three companies worldwide, including one ISP and two MSPs, have been compromised as a result of these attacks.
Black Lotus Labs emphasized that these zero-day attacks by Volt Typhoon have remained highly targeted and are likely ongoing against unpatched Versa Director servers. The researchers warned that Versa Director servers are attractive targets for threat actors due to their potential to abuse SD-WAN network infrastructure before compromising downstream clients.
In response to these attacks, Black Lotus Labs advised Versa Director users to upgrade to the latest patched version of the software and conduct thorough searches for any indicators of compromise within their networks. They also recommended implementing firewall rules and system hardening techniques provided by Versa Networks in previous communications to mitigate the risk of further exploitation.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant and proactive in addressing emerging threats. By staying informed about the latest vulnerabilities and taking appropriate security measures, businesses can better protect themselves against sophisticated cyber attacks.