Exploits by Chinese Volt Typhoon Targeting U.S. and Global IT Sectors Due to Versa Director Vulnerability
With a moderate degree of certainty, the hacking group associated with China known as Volt Typhoon has been connected to the exploitation of a critical security vulnerability affecting Versa Director that was recently revealed.
The cyberattacks were directed at four U.S. entities and one international target in the Internet service provider (ISP), managed service provider (MSP), and information technology (IT) fields as early as June 12, 2024, according to a technical report shared by The Hacker News with the Black Lotus Labs team at Lumen Technologies. The assault is presumed to be ongoing against unpatched systems linked to Versa Director.
The security issue involved is CVE-2024-39717 (CVSS score: 6.6), a vulnerability related to file upload in Versa Director that was classified as one of the Known Exploited Vulnerabilities (KEV) by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week, as noted in an article by The Hacker News.
As per an advisory released on Monday by Versa, the flaw permitted the uploading of potentially harmful files by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin authorizations due to the failure of impacted customers to implement recommended system hardening and firewall protocols outlined in 2015 and 2017 respectively.
The vulnerability essentially grants threat actors with admin permissions the ability to upload malicious files disguised as PNG images by exploiting the “Change Favicon” feature in the Versa Director’s graphical user interface. This issue has been resolved in versions 22.1.4 and later.
The attention of Volt Typhoon on Versa Networks, a provider of secure access service edge (SASE) solutions, comes as no surprise and aligns with the group’s past practices of exploiting compromised small office and home office (SOHO) network gear to redirect network traffic and avoid being detected for extended intervals.
The corporation, headquartered in Santa Clara, boasts of clients such as Adobe, Axis Bank, Barclays, Capital One, Colt Technology Services, Infosys, Orange, Samsung, T-Mobile, and Verizon, as per records available on its website.
“The attribution to Volt Typhoon is in part due to the employment of SOHO devices and their deployment method,” commented Ryan English, a cybersecurity researcher at Lumen’s Black Lotus Labs, in an interview with The Hacker News.
“In addition to this, there is a blend of established and observed tactics, techniques, and procedures (TTPs) including network infrastructure, zero-day exploits, targeted infiltration of specific sectors/victims, examination of web shells, and other verified links to malicious operations.”
The assault chains are characterized by using the vulnerability as an entry point to deliver a custom-designed web shell named VersaMem (“VersaTest.png”), primarily aimed at capturing and gathering login credentials that could facilitate access to downstream customer networks as an authorized user, leading to an extensive supply chain breach.
Another crucial aspect of the sophisticated JAR web shell is its modularity, allowing operators to load extra Java code for exclusive in-memory execution.
The earliest instance of VersaMem was detected on VirusTotal from Singapore on June 7, 2024. As of August 27, 2024, none of the anti-malware tools have flagged the web shell as malicious. It is presumed that threat actors had been trialing the web shell on non-U.S. targets before initiating the attacks on U.S. entities.
The web shell “utilizes Java instrumentation and Javassist to inject malevolent code into the memory space of the Tomcat web server process on compromised Versa Director systems,” the analysts elaborated.
“Once injected, the web shell code hijacks Versa’s authentication processes, permitting unauthorized interception of plaintext credentials and potentially enabling subsequent compromises of client systems through legitimate use of acquired login details.”
“Additionally, the web shell gains access to Tomcat’s request filtering functions, allowing the threat actors to execute arbitrary Java code in-memory on the infiltrated server while evading detection based on file signatures and securing their web shell, its components, and the undisclosed vulnerability itself.”
To counter the threats posed by this attack group, it is essential to apply the recommended security measures, block external access to ports 4566 and 4570, perform comprehensive searches for PNG images, and scrutinize any network traffic originating from SOHO devices to port 4566 on Versa Director systems.
Volt Typhoon, also identified as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, and Voltzite, is a sophisticated persistent threat that has been known to be active for a minimum of five years, concentrating on critical infrastructure establishments in the U.S. and Guam with the aim of establishing undetected access and extracting sensitive information.
“This specific instance indicates how Volt Typhoon continues to strive to gain access to their ultimate targets patiently and indirectly,” English remarked. “In this scenario, they chose to exploit the Versa Director system to launch attacks at a crucial information intersection where they could gather credentials and entry, then progress towards their final target.”
“The evolving tactics of Volt Typhoon over time illustrate that while a business might not consider itself a primary focus for a highly skilled national threat actor, the clients that a product is meant to cater to could be the real targets, and this should raise concerns for all of us.”
About Author
