Chinese state-sponsored actors, known as Volt Typhoon or Bronze Silhouette, are actively exploiting a zero-day vulnerability in software used by many internet service providers and computer network management companies.
The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory and urgent notice for federal agencies to apply mitigations, date due September 13th.
The flaw was discovered in Versa Director, a key component in managing SD-WAN Networks used by some Internet Service Providers (ISPs). For threat actors, it’s a lucrative target that allows them to view or control network infrastructure at scale or pivot into additional (or downstream) networks of interest.
Wide-area networking and security software vendor Versa Networks released a patch for the vulnerability and is actively working with all customers to harden the systems.
The Versa Director graphic user interface contains an unrestricted upload feature to “Change Favicon” (Favorite Icon). It enables the upload of a .png file; however, attackers can exploit that by uploading a malicious file disguised as an image with a .png extension. For an attack to work, hackers would need elevated privileges of “Provider-Data-Center-Admin” or “Provider-Data-Center-System-Admin.”
However, that was no problem for the Chinese Volt Typhoon, which, according to a report by the Black Lotus Labs team at Lumen Technologies, had been taking advantage of the flaw since at least June 2024.
Researchers who reported the flaw discovered a “unique, custom-tailored web shell” used by the threat actor to intercept and harvest credentials. Those credentials, in turn, would enable access to affected ISPs’ customers' networks as authenticated users.
The malicious code, called VersaMem, is sophisticated and has additional capabilities to load Java code and run it exclusively in the memory on the compromised server. That way, the attackers stay hidden from file-based detection methods, protecting their malware, modules, and the zero-day itself from network defenders’ eyes.
The Lumen researchers also found some compromised small-office/home-office (SOHO) devices. The Volt Typhoon compromised at least five companies, four of which are in the US.
“Once injected, the web shell code hooks Versa’s authentication functionality, allowing the attacker to passively intercept credentials in plaintext, potentially enabling downstream compromises of client infrastructure through legitimate credential use,” the report reads.
The malicious shell was uploaded to VirusTotal on June 7th, 2024, and as of the date of the report, had zero anti-virus detections.
Researchers warn that the potential consequences of a successful compromise are highly significant, given the severity of the vulnerability, the sophistication of the threat actors, and the role of Versa software in the networks. The report shares the indicators of compromise and urges expedited patching, among other suggested measures.
Previously, the Volt Typhoon threat actor was identified by the US government agencies hijacking and lurking in many American routers for years.
In March 2024, cybersecurity agencies worldwide warned critical infrastructure leaders about this threat actor and urged them to protect their systems.
Your email address will not be published. Required fields are markedmarked