Introduction
The cyber espionage group known as Volt Typhoon, believed to be linked to China, has been identified as the likely culprit behind the exploitation of a recently uncovered zero-day vulnerability in Versa Director. This vulnerability, CVE-2024-39717, is a high-severity flaw affecting systems in various sectors, including internet service providers (ISPs) and managed service providers (MSPs). The group has successfully targeted several U.S. and international organizations, and their activities are ongoing. This article will explore the details of the vulnerability, how Volt Typhoon has exploited it, and what can be done to mitigate future risks.
The Zero-Day Vulnerability: CVE-2024-39717
CVE-2024-39717, a file upload flaw in Versa Director, allows users with administrative privileges to upload potentially harmful files disguised as PNG images. The flaw was identified as a significant risk when it was added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability, given a CVSS score of 6.6, enables threat actors with administrative access to leverage the "Change Favicon" option in Versa Director’s graphical user interface (GUI) to upload malicious files. Although a fix has been provided in versions 22.1.4 and later, several organizations have yet to patch their systems, leaving them vulnerable to ongoing attacks.
Versa Networks, the company behind Versa Director, issued an advisory blaming the failure to implement previous system hardening and firewall recommendations from 2015 and 2017 as a contributing factor to the success of these attacks.
Volt Typhoon's Exploitation of Versa Director
Volt Typhoon’s history of exploiting small office and home office (SOHO) network equipment to obscure their movements has made them a particularly dangerous and stealthy adversary. The group’s latest focus on Versa Networks, a Secure Access Service Edge (SASE) provider, is consistent with their established tactics. According to Black Lotus Labs, a security research group from Lumen Technologies, the cyber espionage campaign is likely driven by the desire to gather credentials and compromise downstream networks.
Volt Typhoon utilized a custom web shell, dubbed VersaMem, to exploit the vulnerability. This web shell was designed to intercept credentials and execute additional malicious code in-memory. The group first tested their web shell on non-U.S. victims before launching attacks against U.S.-based targets.
The Sophistication of the Attack
The custom web shell used by Volt Typhoon, VersaMem, demonstrates the advanced tactics of this threat actor. The shell is modular in nature, allowing operators to inject Java code into the Tomcat web server’s memory, bypassing traditional file-based detection methods. Once installed, the shell intercepts credentials in plaintext and enables attackers to move laterally within the affected networks, potentially initiating supply chain attacks.
Interestingly, the earliest known sample of VersaMem appeared on VirusTotal from Singapore on June 7, 2024. By late August 2024, no anti-malware tools had flagged it as malicious, highlighting the sophistication of the attack and the challenges in detecting it.
Countermeasures and Mitigation
To counteract this ongoing threat, security experts recommend applying necessary patches and updates to Versa Director, especially upgrading to version 22.1.4 or later. Organizations are also advised to block external access to certain ports, including 4566 and 4570, which Volt Typhoon uses to carry out their attacks. A thorough search of network traffic originating from SOHO devices and PNG image files on Versa Director servers is also recommended to identify potential compromises.
Furthermore, organizations should ensure that Versa Director instances are segmented and shielded from public access. Recent data from Censys, a surface management company, revealed that 163 Versa Director instances remain exposed to the internet, presenting an open door for potential exploitation.
Volt Typhoon's Broader Threat Landscape
Volt Typhoon, also known by aliases such as Bronze Silhouette, Insidious Taurus, and Vanguard Panda, is an advanced persistent threat (APT) group that has been active for at least five years. The group primarily focuses on targeting critical infrastructure in the U.S. and its territories, such as Guam. Their long-term goal appears to be maintaining undetected access to sensitive networks, allowing them to exfiltrate critical data over time.
However, China's National Computer Virus Emergency Response Center (CVERC) has dismissed these accusations, labeling Volt Typhoon as a creation of U.S. intelligence agencies. According to CVERC, Volt Typhoon is actually a ransomware group known as Dark Power, further complicating the narrative around their activities.
Conclusion
Volt Typhoon's exploitation of the CVE-2024-39717 vulnerability in Versa Director is a testament to their persistence and technical capability. By leveraging unpatched systems and exploiting advanced tactics such as web shell manipulation, the group poses a serious threat to both U.S. and global organizations. With a clear focus on stealth and supply chain compromise, Volt Typhoon continues to challenge cybersecurity experts and organizations alike. Effective mitigation strategies, including patch management and network segmentation, are critical to defending against this ongoing campaign.
0 Comments