Cyber espionage group China-nexus tracked how Volt Typhoon is attributed with moderate confidence to exploiting the zero-day of a recently discovered high-severity security flaw affecting Versa Director.
Four U.S. victims and one foreign victim in the Internet Service Provider (ISP), Managed Service Provider (MSP), and Information Technology (IT) sectors were affected by attacks as recently as June 12, 2024, the Black Lotus Labs team at Lumen Technologies reported . said in a technical report shared with The Hacker News. The campaign against Versa Director systems is believed to be ongoing without a patch.
The security issue in question is CVE-2024-39717 (CVSS Score: 6.6), a file upload bug affecting Versa Director that was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) directory of Known Exploited Vulnerabilities (KEV) last week.
“This vulnerability could allow users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to download potentially malicious files,” Versa said an advisory issued Monday said affected customers failed to comply with system and firewall hardening recommendations issued in 2015 and 2017, respectively.
The issue essentially allows threat actors with administrative privileges to upload malicious files disguised as PNG image files by using the Change Favicon icon option in the Versa Director GUI. This was addressed in versions 22.1.4 or later.
Volt Typhoon’s targeting of Secure Access Services (SASE) provider Versa Networks is unsurprising and consistent with adversary considerations historical exploitation of compromised small and home office (SOHO) network equipment to route network traffic and evade detection for extended periods of time.
Company from Santa Clara calculates Its clients include Adobe, Axis Bank, Barclays, Capital One, Colt Technology Services, Infosys, Orange, Samsung, T-Mobile and Verizon.
“Part of the (Volt Typhoon) attribution is based on the use of SOHO devices and how they are used,” Ryan English, a security researcher at Lumen’s Black Lotus Labs, told The Hacker News.
“But there was also a combination of known and observed TTPs, including network infrastructure, zero-day exploits, strategic targeting of specific sectors/victims, web shell analysis, and other confirmed instances of malicious activity.”
The attack chains are characterized by exploiting the flaw to create a custom web shell called VersaMem (“VersaTest.png”), which is primarily designed to intercept and harvest credentials that would allow access to downstream customer networks as an authenticated user, in a large-scale attack on the supply chain.
Another noteworthy feature of a complex web JAR is that it is modular in nature and allows operators to load additional Java code to run solely in memory.
The earliest example of VersaMem was loaded at VirusTotal from Singapore on 07 Jun 2024 As of 27 Aug 2024, the web shell has not been flagged as malicious by any anti-malware engine. It is believed that the threat actors may have tested the web shell in the wild on non-US victims before deploying it on US targets.
The web shell “uses Java and Javassist tools to inject malicious code into the memory space of Tomcat web server processes on exploited Versa Director servers,” the researchers explained.
“Once injected, the web shell code intercepts Versa’s authentication functionality, allowing an attacker to passively intercept credentials in plaintext, potentially allowing subsequent compromise of client infrastructure through legitimate use of the credentials.”
“Furthermore, the web shell intercepts Tomcat’s request filtering functionality, allowing a threat actor to execute arbitrary Java code in memory on a compromised server, avoiding file-based detection methods and protecting its web shell, its modules, and the zero-day itself. .”
To counter the threat posed by a cluster attack, it is recommended to apply the necessary mitigations, block external access to ports 4566 and 4570, recursively search for PNG image files, and scan possible network traffic coming from SOHO devices to port 4566 on the Versa Director. servers.
Volt Typhoon, also tracked as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, and Voltzite, is an extended persistent threat that of course be active for at least five years targeting critical infrastructure facilities in the US and Guam to maintain covert access and steal sensitive data.
“This is a case that shows how Volt Typhoons continue to patiently and indirectly try to access their ultimate victims,” English said. “Here they targeted the Versa Director system as a means of attacking a strategic intersection of information where they could collect credentials and gain access and then move down the chain to their ultimate victim.”
“The evolution of the Volt Typhoon over time shows us that while an enterprise may not feel it will attract the attention of a highly skilled nation-state actor, the customers the product is intended to serve may be the real target, and that worries us all.”
