### Chinese State-Supported Hackers Utilize Zero-Day Flaw in US Internet Providers
#### Introduction
Recently, a cybersecurity incident has occurred where malicious hackers, presumably affiliated with the Chinese government, have taken advantage of a severe zero-day vulnerability in the Versa Director platform. This exploitation has enabled them to introduce malware into at least four U.S.-based Internet Service Providers (ISPs) to steal credentials from their downstream customers. The attacks reportedly began no later than June 12, 2024, and continue to persist, according to findings from Black Lotus Labs, the research division of security company Lumen.
#### The Vulnerability: CVE-2024-39717
The zero-day flaw, identified as CVE-2024-39717, is found within Versa Director, a virtualization platform used by ISPs and managed service providers (MSPs) to oversee complex networking systems from a unified interface. The vulnerability is linked to an unsanitized file upload weakness that permits attackers to inject harmful Java files into the system. These files operate with elevated privileges, giving the attackers administrative control over the compromised systems.
Once they gain access, the attackers deploy a custom web shell referred to as “VersaMem,” which facilitates remote administrative access to the infiltrated Versa Director systems. This web shell integrates with the Versa authentication methods, enabling the attackers to capture credentials prior to cryptographic hashing. Subsequently, these credentials are utilized to breach the ISP’s customers.
#### The Attack Vector
The attackers exploited this vulnerability by focusing on port 4566, used by Versa Director for high-availability pairing between nodes. As per Black Lotus Labs, the threat actors initially accessed the system through this exposed port on the public Internet, stemming from inadequate system hardening and firewall policies. After breaching the defenses, the attackers leveraged compromised small office and home office (SOHO) routers to proxy their operations, complicating detection efforts.
Employing SOHO routers is a strategy frequently used by state-sponsored hackers, especially those from China and Russia. These routers generally possess lower security and are simpler to compromise, making them suitable for proxy attacks. In this instance, the attackers set up TCP sessions through port 4566, followed by substantial HTTPS connections over port 443, signifying successful exploitation.
#### The VersaMem Web Shell
VersaMem operates as a modular web shell, allowing it to load various modules based on the attackers’ goals. To date, Black Lotus Labs has identified only one module that integrates with the Versa Director authentication process to exfiltrate credentials. The code handling this function resides only in memory, thereby decreasing the likelihood of detection by conventional endpoint protection systems.
Currently, VersaMem is not recognized as malicious by any leading antivirus software. Its in-memory design further complicates detection as it negates the necessity for files to be stored on disk, a typical method utilized by security applications to identify threats.
#### Attribution to Volt Typhoon
Based on the observed tactics, techniques, and procedures (TTPs) related to this attack, Black Lotus Labs holds moderate confidence that the hackers belong to Volt Typhoon, a state-sponsored Chinese hacker group noted for its sophistication and cyber activities. Volt Typhoon has been associated with various cyber espionage initiatives targeting U.S. critical infrastructure, spanning sectors such as communications, energy, transportation, and water and wastewater.
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning indicating that Volt Typhoon had retained a presence in the networks of several U.S. critical infrastructure entities for up to five years. The group is suspected of positioning itself to disrupt operations across multiple sectors in the event of a crisis or conflict involving the United States.
#### Mitigation and Recommendations
Versa Networks has addressed the vulnerability in Versa Director as of Monday, following a confidential report from Lumen. All versions of Versa Director prior to 22.1.4 are affected. Organizations using Versa Director should promptly apply the patch and examine their systems for any indication of compromise.
Black Lotus Labs has shared indicators of compromise (IOCs) in their report, which organizations can utilize to ascertain if their systems have been impacted. Given the critical nature of the vulnerability and the expertise of the threat actors, swift action is vital for affected organizations to mitigate risk.
#### Conclusion
The exploitation of the CVE-2024-39717 vulnerability by probable Chinese state-sponsored hackers emphasizes the escalating threat posed by nation-state actors in the cyber realm. The attack on U.S.-based ISPs underscores the urgent need for robust cybersecurity protocols, especially in sectors responsible for managing critical infrastructure. As cyber threats continue to progress, organizations must stay alert and proactive in safeguarding their networks against such advanced attacks.
