China State Sponsored Hackers Breach U.S. Internet Providers With Zero-Day Exploit

Chinese state-sponsored hacking group Volt Typhoon has been identified as the perpetrator behind recent cyberattacks exploiting a zero-day vulnerability in Versa Director. This flaw was leveraged to upload a custom webshell, enabling the theft of credentials and the compromise of corporate networks.

Versa Director serves as a management platform for Internet Service Providers (ISPs) and Managed Service Providers (MSPs) to oversee virtual WAN connections created through SD-WAN services.

The vulnerability, designated CVE-2024-39717, resides in a feature that allows administrators to upload custom icons for Versa Director’s GUI. However, this feature was exploited by attackers with administrative privileges to upload malicious Java files disguised as PNG images, which could then be executed remotely.

According to an advisory published by Versa, the vulnerability affects Director versions 21.2.3, 22.1.2, and 22.1.3. The issue has been resolved in version 22.1.4, and administrators are advised to update to this latest version. Versa also recommends reviewing their system hardening requirements and firewall guidelines.

Versa classified this vulnerability as a privilege escalation flaw, as it was used to harvest credentials from users who logged into the system. The company also noted that other types of malware could potentially exploit this flaw to carry out different malicious activities on the device.

Exploitation for Network Breaches

Researchers from Lumen's Black Lotus Labs discovered the Versa zero-day vulnerability on June 17 after identifying a malicious Java binary named 'VersaTest.png' uploaded from Singapore to VirusTotal.

An analysis revealed that the file was a custom Java webshell, internally referred to as "Director_tomcat_memShell" and dubbed "VersaMem" by the researchers. This malware, specifically designed for Versa Director, currently has zero detections on VirusTotal.

Black Lotus Labs' global telemetry detected traffic from small office/home office (SOHO) routers exploiting this Versa vulnerability as a zero-day to deploy the webshell since June 12, 2024.

"We identified compromised SOHO devices with TCP sessions over port 4566, which were immediately followed by large HTTPS connections over port 443 for several hours. Given that port 4566 is generally reserved for Versa Director node pairing and that these nodes typically communicate over this port for extended periods, there should not be any legitimate communication to that port from SOHO devices over short timeframes.

We assess the short timeframe of TCP traffic to port 4566, immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g., SOHO device), as a likely signature of successful exploitation."

— Black Lotus Labs

Although the vulnerability requires administrator privileges, researchers reported that the threat actors gained elevated privileges through an exposed Versa Director port used for high availability (HA) node pairing.

Versa confirmed that the attackers exploited the vulnerability to steal credentials through the following steps:

1. Accessing the exposed HA port with an NCS client and creating an account with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges.
2. Exploiting the zero-day vulnerability using the account created in step 1 to deploy a malicious JAR webshell used to steal credentials.
3. (Optional) Deleting the account created in step 1.
4. Harvesting credentials from legitimate users who subsequently logged in.

Versa noted that the attackers could not have exploited the flaw if the HA port had been secured according to the company’s firewall guidelines. When asked why the port was open by default, Versa explained that it was necessary for the high availability feature.

Black Lotus Labs reported the vulnerability to Versa on July 20, and the company privately alerted its customers on July 26.

The custom VersaMem webshell is primarily used to steal credentials, enabling the attackers to breach the targeted internal network. The stolen credentials are encrypted and stored in the /tmp/.temp.data file for later retrieval by the attackers.

The webshell can also stealthily load in-memory Java bytecode sent by the attackers, which is then executed in the Tomcat webserver running on the compromised Versa Director device.

Volt Typhoon's Attack Flow on Versa Director

Lumen's Black Lotus Labs linked these attacks to Volt Typhoon, also known as Bronze Silhouette, based on known tactics, techniques, and procedures.

Volt Typhoon is a Chinese state-backed hacking group notorious for hijacking SOHO routers and VPN devices to conduct stealthy attacks on targeted organizations. The group uses compromised routers, firewalls, and VPN devices to blend malicious traffic with legitimate traffic, allowing their attacks to go undetected.

In December 2023, Black Lotus Labs revealed that Volt Typhoon was compromising SOHO routers, VPN devices, and IP cameras to build the 'KV-botnet,' used to launch attacks on targeted networks. The devices compromised in this campaign included Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.

In January, the FBI and CISA issued a joint advisory urging manufacturers of SOHO routers to enhance their devices' security against Volt Typhoon attacks.

In February, Volt Typhoon exploited a remote code execution vulnerability in FortiOS SSL VPN to install custom malware, with over 20,000 Fortinet devices affected by the attacks.

To check if devices have been compromised, Versa customers should inspect the /var/versa/vnms/web/custom_logo/ folder for suspicious files. Black Lotus Labs also recommends administrators check for newly created accounts and restrict access to the HA port on ports 4566 and 4570.

The researchers have provided a full list of indicators of compromise (IoCs) related to this campaign, along with further steps to mitigate the attacks in their report.

Read the complete report here