Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

update It looks like China's Volt Typhoon has found a new way into American networks as Versa has disclosed a nation-state backed attacker has exploited a high-severity bug affecting all of its SD-WAN customers using Versa Director.

This vulnerability, tracked as CVE-2024-39717, is being abused to plant custom, credential-harvesting web shells on customers' networks, according to Black Lotus Labs. Lumen Technologies' security researchers have attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems."

Volt Typhoon is the Beijing-backed cyberspy crew that the feds have accused of burrowing into US critical infrastructure networks while readying "disruptive or destructive cyberattacks" against these vital systems.

Versa Director is a software tool that allows for the central management and monitoring of Versa SD-WAN software. It's generally used by internet service providers (ISPs) and managed service providers (MSPs) to maintain their customers' network configurations — and this makes it an attractive target for cybercriminals because it gives them access to the service providers' downstream customers.

That appears to be the case with this CVE, as Versa notes the attacks target MSPs for privilege escalation. 

In a Monday security advisory, the software manufacturer noted that the bug allowed users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to upload malicious files. 

It affected customers that hadn't implemented Versa's recommended system hardening and firewall guidelines, and, as a result, had a management port exposed to the internet, which gave the cyber snoops access to the victims' networks.

Versa has since released a patch, and encourages all customers to upgrade to Versa Director version 22.1.4 or later and apply the hardening guidelines. But the advice comes too late for some, as we're told: "This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor."

The software maker did not immediately respond to The Register's questions about the scope of the attacks, and who is believed to be responsible for the exploits.

The US Cybersecurity and Infrastructure Security Agency (CISA) on August 23 added CVE-2024-39717 to its Known Exploited Vulnerabilities catalog.

In subsequent research posted today, the Black Lotus Labs team says China's Volt Typhoon cyber espionage crew exploited this CVE as a zero-day for more than two months. 

"Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024," the threat hunters noted.

After gaining access to the victims' networks via the exposed Versa management port, the attackers deployed the VersaMem web shell, which steals credentials and then allows Volt Typhoon to access the service providers' customers' networks as authenticated users. 

"VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory," the security shop added.

• Beijing's attack gang Volt Typhoon was a false flag inside job conspiracy: China
• America's enemies targeting US critical infrastructure should be 'wake-up call'
• Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon
• 68 tech names sign CISA's secure-by-design pledge

When asked about Black Lotus Labs' attribution, Doug Britton, chief strategy officer at RunSafe Security, agreed that "this seems like a classic Volt Typhoon exploit."

Britton works with critical infrastructure CISOs to protect against this particular government-backed crew, and said this new attack "fits with their established MO of targeting edge systems to then move inbound for living off the land."

"This is a high-leverage attack, similar to SolarWinds, that once compromised, can allow attackers to expand their footprint below radar," he told The Register.

Plus, for anyone not yet convinced that software should be secure by design — with the onus for managing security risks falling on technology manufacturers, not the end users — this latest vulnerability should be more proof that CISA is on to something.

"The Versa blog on the topic subtly chastises affected users for failing to implement recommended security guidance," Britton said. "CISA's whole point in Secure by Default is that vendors need to find ways to guarantee that the out of the box system is as secure as possible, minimizing the possibility that overworked operators make these types of errors."

It also highlights the need for vendors to find a way to future-proof their products against unknown flaws, he added. "Commercially available technologies exist that can allow product and software manufacturers the ability to neutralize entire classes of vulns (known and unknown), without devolving into the whack-a-mole game of bug chasing." ®

Updated at 1730 UTC on August 28

CISA Executive Assistant Director for Cybersecurity Jeff Greene told The Register: "Based on collaboration with our industry partners, CISA issued an alert last Friday adding the Versa Director vulnerability to our known exploited vulnerabilities (KEV) catalog, which is our authoritative source of vulnerabilities that are being actively exploited.

"We issued a new alert yesterday with updated information and we urge all relevant organizations to prioritize patching this vulnerability."

"At this time, CISA has no indication that Federal agencies have been impacted," Greene noted. "While the U.S. government has not attributed this threat to a specific actor, CISA has been clear about the urgent risk to critical infrastructure posed by Chinese cyber actors. We urge critical infrastructure owners and operators to take steps to protect against this threat and improve their security and resilience."