The Chinese state-sponsored hacking group Volt Typhoon is responsible for attacks exploiting a zero-day vulnerability in Versa Director, enabling them to upload a customized webshell to steal credentials and infiltrate corporate networks.
Versa Director is a management platform used by ISPs and MSPs to oversee virtual WAN connections created via SD-WAN services.
This vulnerability, identified as CVE-2024-39717, is linked to a feature that allows administrators to upload custom icons for Versa Director’s GUI. Unfortunately, the flaw permitted attackers with admin privileges to upload malicious Java files disguised as PNG images, which could be executed remotely.
According to an advisory released yesterday, Versa confirms that Director versions 21.2.3, 22.1.2, and 22.1.3 are affected. The vulnerability can be resolved by upgrading to the latest version, 22.1.4. Additionally, admins are urged to review the vendor’s system hardening protocols and firewall recommendations.
Versa informed BleepingComputer that they classify this vulnerability as a privilege escalation flaw, as it was exploited to steal credentials from users logging into the system. However, other forms of malware could potentially have been deployed to carry out a variety of malicious activities on the device.
Exploited to breach networks
Researchers at Lumen’s Black Lotus Labs uncovered the Versa zero-day vulnerability on June 17, following the discovery of a malicious Java binary named ‘VersaTest.png,’ which had been uploaded from Singapore to VirusTotal.
Upon analysis, the file was identified as a custom Java web shell internally referred to as “Director_tomcat_memShell,” but named “VersaMem” by the researchers. This malware, which currently has zero detections on VirusTotal, is specifically crafted for Versa Directors.
After examining global telemetry, Black Lotus Labs identified traffic originating from SOHO routers, exploiting the Versa vulnerability as a zero-day to deploy the web shell, dating back to June 12, 2024.
We assess the short timeframe of TCP traffic to port 4566 immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g. SOHO device) as a likely signature of successful exploitation.” Black Lotus Labs
Although the vulnerability requires administrator privileges, researchers report that the threat actors were able to gain these elevated privileges by exploiting an exposed Versa Director port utilized for high availability (HA) node pairing.
Versa confirmed to BleepingComputer that the threat actors leveraged this vulnerability to steal credentials by following these steps:
- Access the exposed HA port using an NCS client and create an account with either Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges.
- Exploit the zero-day vulnerability using the account created in Step #1 to implant the malicious JAR web shell, which facilitates credential theft.
- (Optional) Delete the account created in Step #1.
- Capture credentials of legitimate users who subsequently logged in after Step #2.
Versa emphasized that the vulnerability could not have been exploited had the HA port been secured according to their firewall guidelines. When questioned about why the port was open by default, Versa explained that it is essential for the high availability feature.
Black Lotus Labs reported the vulnerability to Versa on July 20, and the company privately notified customers on July 26.
The custom VersaMem web shell is primarily designed to harvest credentials of legitimate users to infiltrate the targeted internal network. These stolen passwords are encrypted and stored in the /tmp/.temp.data file for later retrieval by the attackers.
Additionally, the web shell can discreetly load in-memory Java bytecode sent by the attackers, which is then executed within the Tomcat webserver running on the compromised Versa Director device.
Volt Typhoon attack flow on Versa Director
Source: Lumen’s Black Lotus Labs
Black Lotus Labs informed BleepingComputer that they are aware of four organizations in the U.S. and one in India affected by the zero-day vulnerability, with the threat actors successfully breaching the network in at least one instance.
“Analysis of our global telemetry revealed that actor-controlled small-office/home-office (SOHO) devices were exploiting this zero-day vulnerability across four U.S.-based victims and one international victim in the Internet service provider (ISP), managed service provider (MSP), and information technology (IT) sectors as early as June 12, 2024,” stated Black Lotus Labs.
Customers can verify if their devices have been compromised by inspecting the /var/versa/vnms/web/custom_logo/ directory for any suspicious files. Lumen’s Black Lotus Labs advises administrators to review devices for newly created accounts and to restrict access to the HA port.
The researchers have provided a comprehensive list of indicators of compromise (IoCs) related to this campaign, along with additional steps for mitigating attacks in their report.
Volt Typhoon
The researchers attributed these attacks to Volt Typhoon, also known as Bronze Silhouette, based on their established tactics, techniques, and procedures.
Volt Typhoon is a Chinese state-sponsored hacking group notorious for hijacking SOHO routers and VPN devices to carry out stealthy attacks on targeted organizations.
The threat actors utilize compromised routers, firewalls, and VPN devices to mask their malicious traffic within legitimate network traffic, helping their attacks evade detection.
In December 2023, Black Lotus Labs revealed that Volt Typhoon had been compromising SOHO routers, VPN devices, and IP cameras to construct the ‘KV-botnet,’ which they used to launch attacks on selected networks. Devices compromised in this campaign included Netgear ProSAFE firewalls, Cisco RV320 routers, DrayTek Vigor routers, and Axis IP cameras.
A month later, CISA and the FBI issued a joint advisory urging manufacturers of small office/home office (SOHO) routers to bolster the security of their devices against Volt Typhoon’s attacks.
On that same day, the FBI announced that they had disrupted Volt Typhoon’s KV-botnet, which had been employed to attack critical infrastructure across the U.S.
By February, Volt Typhoon exploited a remote code execution vulnerability in FortiOS SSL VPN, installing custom malware and affecting over 20,000 Fortinet devices in the process.
Source: BleepingComputer, Lawrence Abrams
