Volt Tempest Hackers Utilize Zero-Day Vulnerability in Versa Director Servers Used by Managed Services Providers and Internet Service Providers
Chinese state-sponsored hacking group, Volt Tempest, has been observed exploiting a zero-day vulnerability present in the Versa Director servers, which are commonly used by managed service providers and internet service providers.
CVE-2024-39717 was flagged on Aug. 23 by CISA in their “Known Exploited Vulnerabilities Catalog,” after Lumen Technologies detected instances of active exploitation.
Analysis from Censys indicates there are still 163 devices exposed in countries like the U.S., Philippines, Shanghai, and India, notwithstanding the release of a patch by Versa Networks for Versa Director versions 21.2.3, 22.1.2, and 22.1.3. Users of these devices are advised to segregate them into a secured network and disconnect them from the internet.
Reasons behind cybercriminals targeting Versa Director servers
Versa Director servers empower managed services providers and internet service providers to centrally regulate network configurations for devices utilizing SD-WAN software. They become appealing targets for hackers owing to their potential to compromise multiple systems.
Despite the complexity involved in exploiting the vulnerability, its potential for a widespread attack has earned it a classification of “high-severity” by Versa Networks.
CVE-2024-39717 impacts all Versa Director versions preceding 22.1.4. The exploit was carried out by cybercriminals through a tailored web shell known as “VersaMem,” as identified by Black Lotus Labs, the cybersecurity research division of Lumen Technologies. This illicit tool captures credentials that attackers then utilize to obtain authorized entry into other user networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Tempest with “moderate confidence,” according to their report on vulnerabilities. They also mentioned ongoing attacks on unpatched Versa Director systems as a likely scenario.
SEE: Microsoft alerts about Volt Tempest, the latest move in global cyber conflict
Versa affirms that only one confirmed instance has been reported regarding the exploitation of the vulnerability by an Advanced Persistent Threat actor. The company also noted that the incident involved a customer not implementing recommended system hardening and firewall guidelines introduced in 2017 and 2015 respectively, leading to the exposure of a management port. This port facilitated the initial access for the threat actor without the need for the Versa Director GUI.
Contrarily, the Black Lotus Labs team claims to have identified threat actors exploiting the vulnerability at four U.S. corporations and one foreign entity within the ISP, MSP, and IT sectors starting from June 12. Versa has labeled these instances as “unconfirmed to date” based on observations from a third-party provider.
In their findings, the analysts stated: “The threat actors initiate administrative access via an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, leading to the exploitation and deployment of the VersaMem web shell.”
CISA advises that swift remediation of all vulnerabilities listed in the Known Exploited Vulnerabilities Catalog should be a part of any organization’s vulnerability management strategy.
Strategies for exploiting CVE-2024-39717
CVE-2024-39717 enables authenticated users with elevated privileges to upload malevolent files, often camouflaged as images, that can execute harmful code. Once exploited, the vulnerability permits unauthorized access and privilege escalation.
The operatives from Volt Tempest obtained privileged rights on the Versa Director by exploiting an exposed Versa management port meant for the high-availability pairing of Director nodes. Subsequently, they embedded a customized web shell on the Apache Tomcat web server, enabling remote control, followed by utilizing memory injection methods to introduce malicious code into legitimate Tomcat processes. This injected code facilitated running commands and controlling the compromised system while evading detection amidst regular communication.
Eventually, they manipulated Versa’s “setUserPassword” authentication utility to intercept and capture client credentials in plain text, enabling them to compromise client infrastructure.
Moreover, the web shell was leveraged to connect with Tomcat’s ‘doFilter’ request filtering function and intercept inbound HTTP requests. This allowed the threat actors to scrutinize the requests for sensitive data or dynamically load Java modules into memory.
Unveiling Volt Tempest
Volt Tempest is a Chinese state-supported hacking faction that has carried out numerous attacks on crucial infrastructures since commencing operations in mid-2021. In May 2023, Microsoft issued an alert about the group, highlighting their utilization of “living off the land” data pilfering and cyber espionage methodologies.
In December 2023, an FBI inquiry exposed an expansive botnet attack orchestrated by the syndicate, crafted from hundreds of privately owned routers in the U.S. and its territories abroad. The subsequent month, Department of Justice investigators affirmed the deletion of the malicious software from the impacted routers, dismantling the botnet.
Ways to safeguard Versa Director servers
Versa Networks and Lumen Technologies have put forth several suggestions for the protection of Versa Director servers:
- Implement patches promptly: Updates for versions 21.2.3, 22.1.2, and 22.1.3 are accessible.
- Enforce stringent security practices: Versa Networks suggests adhering to their Firewall and System Hardening criteria.
- Inspect for potential exploitation of the vulnerability:
a) Review directory “/var/versa/vnms/web/custom_logo/” for any anomalous files. Execute the command “file -b –mime-type <.png file>” to determine the file type as “image/png.”
b) Search for interactions on port 4566 of Versa Director servers by IPs not belonging to Versa nodes (e.g., SOHO devices).
c) Check for any fresh user accounts and other abnormal files.
d) Scrutinize existing accounts, logs, and credentials while addressing any indications of lateral movement in case of detected compromise indicators. - Restrict external access to ports 4566 and 4570: Confirm that these ports are only open between active and standby Versa Director nodes for HA-pairing communication. Refer to the customer support document titled Versa Director HA Port Exploit – Discovery and Remediation.
For further detailed insights, indicators of compromise, and recommendations, refer to the report by Black Lotus Labs and the YARA rules for threat investigation.
About Author
