Malware hunters at Lumen Technologies have caught Chinese APT Volt Typhoon exploiting a fresh zero-day in Versa Director servers to hijack credentials to break into downstream customers’ networks.
The high-severity vulnerability, tracked as CVE-2024-39717, was added to the CISA must-patch list over the weekend after Versa Networks confirmed zero-day exploitation and warned that the Versa Director GUI can be hacked to plant malware on affected devices.
Versa Director servers are used to manage network configurations for clients running SD-WAN software and heavily used by ISPs and MSPs, making them a critical and attractive target for threat actors seeking to extend their reach within enterprise network management.
“Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 and 2017 were not implemented by that customer. This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI,” the company said, appearing to pass blame on victim organizations for misconfiguration errors.
“In our testing (not exhaustive, as not all numerical versions of major browsers were tested) the malicious file does not get executed on the client. There are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date,” Versa said in a security bulletin.
According to SecurityWeek sources, the Black Lotus Labs team at Lumen Technologies discovered active exploitation of the flaw hitting Versa Director versions prior to 22.1.4.
The research team found a unique, custom-tailored web shell that is tied to this zero-day and is being used to intercept and harvest credentials for access into downstream customers’ networks as an authenticated user.
Based on known and observed tactics and techniques, the Black Lotus Labs team linked the zero-day exploitation to Volt Typhoon, a Chinese government-backed hacking team caught in a series of eyebrow-raising attacks against hundreds of critical infrastructure targets in the United States. The company believes exploitation of this vulnerability is limited to Volt Typhoon and is “likely ongoing” against unpatched Versa Director systems.
The researchers pinpointed exploits dating back to at least June 12, 2024 and warns that this Volt Typhoon campaign has remained highly targeted, affecting several US victims in the ISP, MSP and IT sectors.
Volt Typhoon, active since mid-2021, has compromised a wide variety of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.
This is not the first time Black Lotus Lab researchers discovered Volt Typhoon hackers in network devices. Last December, the research outfit raised an alarm for a massive botnet packed with end-of-life Cisco, Netgear and Fortinet devices being used as covert data transfer networks to perform malicious operations.
One month later, the US government neutralized the botnet and urged organizations to work harder to purge the Chinese hackers from hijacked networks.
The Black Lotus Labs team is expected to publish full technical documentation this week, with Indicators of Compromise (IOCs) and telemetry data to help organizations hunt for signs of compromise.
Related: Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon
Related: Volt Typhoon Hackers ‘Pre-Positioning’ for Critical Infrastructure Attacks
Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon
Related: Chinese APT Volt Typhoon Linked to EOL SOHO Router Botnet
Related: Mandiant Raises Alarm Over ‘Volt Typhoon’ Hackers in US Critical Infrastructure
