Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Network Performance Monitoring & Diagnostics
Targeted Versa Software Used by Service Providers to Manage Wide Area Networks
Chinese nation-state hackers are exploiting a zero-day flaw in a tool used to manage and monitor network infrastructure, security researchers warned.
See Also: Defeat Ransomware: Free Readiness Guide
The targeted tool, Versa Director from California-based Versa Networks, is used by a number of internet service providers, managed service providers and IT firms to deploy, configure and monitor network infrastructure across locations, including via software-defined wide area networks.
Versa issued private security alerts directly to all customers on July 26 and Aug. 8, advising them to immediately patch the vulnerability by updating to the latest versions of Versa Director: 21.2.3, 22.1.2 and 22.1.3.
The company first publicly detailed the vulnerabilities Monday in a security alert that says, “We are actively working with all customers to ensure the patch and system hardening guidelines are applied.”
On Tuesday, attack surface management platform Censys reported still seeing 163 exposed devices online.
The flaw, tracked as CVE-2024-39717, was discovered and reported to Versa by Louisiana-based Lumen Technologies’ threat intelligence group Black Lotus Labs. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities Catalog on Friday, reflecting that the flaw is being successfully exploited in the wild.
The U.S. National Vulnerability Database says the risk posed by the vulnerability is “high,” meaning it can be remotely exploited to take full control of a system. Attackers often chain vulnerabilities together to give their attacks greater reach.
Based on attackers’ tactics, techniques and procedures, Black Lotus Labs attributed the zero-day exploit campaign “with moderate confidence” to the Beijing cyberespionage group Volt Typhoon, aka Bronze Silhouette, and said the attacks are “likely ongoing against unpatched Versa Director systems.”
The threat intelligence group warned that the hacking campaign could have “highly significant” repercussions, “given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network and the potential consequences of a successful compromise.” The security researchers have published indicators of compromise, allowing all Versa Director users to search for signs of malicious activity.
Black Lotus Labs said its telemetry suggests the flaw has already been exploited in small office or home-office – aka SOHO – devices being used by four U.S. organizations and one organization abroad that are in the ISP, MSP or IT sectors. The earliest exploitation began on June 12, and attackers’ access persisted until mid-July.
A Chinese official denied his government has any connection to the exploitation campaign, The Washington Post reported.
The Versa Director vulnerability can be exploited by attackers to upload a dangerous file “that allows administrators with ‘Provider-Data-Center-Admin’ or ‘Provider-Data-Center-System-Admin’ privileges to customize the user interface,” CISA said. “The ‘change favicon’ (favorite icon) enables the upload of a .png
file, which can be exploited to upload a malicious file with a .png
extension disguised as an image.”
By exploiting the vulnerability, “threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell,” it said.
Black Lotus Labs said the VersaMem Java archive – aka JAR – web shell injects code into Apache Tomcat web server processes in Versa Director and then can “capture plaintext user credentials” as well as “dynamically load in-memory Java classes.” This is all done in-memory, which make the malicious activity more difficult to spot. The web shell was first uploaded to malicious content analysis platform VirusTotal on June 7 with the filename Versatest.png
. That was five days prior to the earliest known exploitation, it said.
Versa said the “dangerous file type upload vulnerability” remains “difficult to exploit,” in part due to the relatively high level of privileges an attacker would need, but it also acknowledged the flaw “has been exploited in at least one known instance by an advanced persistent threat actor.”
While the vulnerability is present in previous versions of Versa Director, users are only at risk if they haven’t implemented firewall guidance and system hardening requirements Versa has published since 2015 and 2017, respectively, the company said.
All customers whose Versa Director software was exploited “failed to implement” those recommendations, Versa said, which left “a management port exposed on the internet that provided the threat actors with initial access.”
Black Lotus Labs credited the discovery and analysis of the zero-day vulnerability to Michael Horka, its senior lead information security engineer, who formerly served as an FBI special agent on the bureau’s Cyber Task Force.
The threat research group said it’s making the vulnerability details public after Versa directly notified customers about the flaw – twice – in part because attackers still appear to be attempting to target and compromise unpatched devices to hack into victims’ networks.
“This is privileged, high-level connectivity to interesting customers,” Horka told The Washington Post.