Chinese Hacking Group Volt Typhoon Exploits Versa Director Zero-Day Vulnerability

August 27, 2024

The Volt Typhoon, a Chinese state-backed hacking group, has been identified as the perpetrator behind the attacks exploiting a zero-day flaw in Versa Director. The hackers used the vulnerability to upload a custom webshell and steal credentials, thereby breaching corporate networks. Versa Director is a widely used platform by ISPs and MSPs to manage virtual WAN connections created via SD-WAN services.

The vulnerability, tracked as CVE-2024-39717, enables attackers with administrative privileges to upload harmful Java files masquerading as PNG images. These files can subsequently be executed remotely. Versa has confirmed that Director versions 21.2.3, 22.1.2, and 22.1.3 are susceptible to this flaw. However, upgrading to the latest version, 22.1.4, will rectify the vulnerability. Versa also advises admins to review the company's system hardening requirements and firewall guidelines.

Lumen's Black Lotus Labs discovered the Versa zero-day vulnerability on June 17 after detecting a malicious Java binary named 'VersaTest.png' uploaded from Singapore to VirusTotal. The file was identified as a custom Java web shell, internally named 'Director_tomcat_memShell', but referred to by the researchers as 'VersaMem'. This malware is specifically designed for Versa Directors and currently has 0 detections on VirusTotal.

The researchers at Black Lotus Labs detected traffic from SOHO routers exploiting a Versa vulnerability as a zero-day to deploy this web shell since June 12, 2024. The vulnerability demands administrator privileges, however, the threat actors managed to gain elevated privileges via an exposed Versa Director port used for high availability (HA) pairing of nodes.

The custom VersaMem web shell is primarily employed to steal the credentials of legitimate users, thereby breaching the targeted internal network. These pilfered passwords are encrypted and stored in the /tmp/.temp.data file for later access by the threat actors. The custom web shell also has the capability to covertly load in-memory Java byte code sent by the attackers, which is then executed in the Tomcat webserver running on the compromised Versa Director device.

Black Lotus Labs has identified four organizations in the US and one in India that have been impacted by the zero-day, with the threat actors breaching the network in at least one of the attacks. The researchers have shared a comprehensive list of IoCs related to this campaign and further steps to mitigate attacks in the report.

The researchers have attributed these attacks to Volt Typhoon, also known as Bronze Silhouette, based on recognized tactics, techniques, and procedures. Volt Typhoon is a notorious Chinese state-sponsored hacking group known for hijacking SOHO routers and VPN devices to launch stealthy attacks on targeted organizations. The threat actors use compromised routers, firewalls, and VPN devices to camouflage their malicious traffic with legitimate traffic, thereby keeping the attacks undetected.

Related News

• Versa Networks Addresses Zero-Day Vulnerability in Director Platform

Latest News

• Google Patches Tenth Chrome Zero-Day Exploited in 2024
• Versa Networks Addresses Zero-Day Vulnerability in Director Platform
• Critical Access Control Vulnerability Detected in SonicWall's SonicOS
• Chinese Hackers Leverage Zero-Day Cisco Switch Flaw for System Control
• SolarWinds Addresses Critical Vulnerability in Web Help Desk Software