{"id":5036,"date":"2024-08-27T09:00:00","date_gmt":"2024-08-27T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers"},"modified":"2024-08-27T09:00:00","modified_gmt":"2024-08-27T14:00:00","slug":"chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/27\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers\/","title":{"rendered":"China’s Volt Typhoon Exploits 0-day in Versa’s SD-WAN Director Servers"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

China’s notorious Volt Typhoon group has been actively exploiting a zero-day bug in Versa Networks’ Director Servers, to intercept and harvest credentials to be used future attacks.<\/span><\/p>\n

The bug, now patched and tracked as CVE-2024-39717, affects all versions of Versa Director prior to 22.1.4, and has to do with a feature that lets users customize the look and feel of its graphical user interface (GUI). <\/span>Versa Director<\/a><\/span> servers are a component of Versa Networks’ software-defined wide area networking (SD-WAN) technology. They allow organizations to centrally configure, manage and monitor network devices manage, traffic routing, security policies and other aspects of a SD-WAN environment. Its customers include ISPs, MSP and many larger organizations.<\/span><\/p>\n

Dan Maier, CMO at Versa, says the vulnerability can be seen as a privilege escalation bug, because the attacker is harvesting credentials to gain privileged access. He notes that attackers gain initial access to Versa Director via high-availability management ports 4566 and 4570 if they’re left open and available over the Internet.<\/span><\/p>\n

“Once the attackers gain initial access, they escalate privileges to gain highest-level administrator credentials,” Maier says, adding that Versa has always instructed customers to limit access to such high-availability ports.<\/span><\/p>\n

Researchers from Lumen Technologies’ Black Lotus Labs <\/span>discovered the bug<\/a><\/span> and, and noted that their analysis showed the threat actor using <\/span>attacker-controlled small-office\/home-office (SOHO) devices<\/a><\/span>\u2014a common Volt Typhoon tactic\u2014to access vulnerable Versa Director systems via the management ports.<\/span><\/p>\n

Active Exploitation Since at Least June<\/h2>\n

Lumen researchers reported the bug to Versa on June 21, or about nine days after they believe Volt Typhoon first began exploiting it. Versa confirmed the zero-day vulnerability and issued a customer advisory describing mitigations for the bug on July 26. The company then released a second advisory on Aug. 8 with technical details, and released a <\/span>security bulletin<\/a><\/span> on Aug. 26 more fully describing the flaw.<\/span><\/p>\n

“Our customer base is in the midst of their upgrades to [the patched] software version,” Maier notes, and says Versa has confirmed only one incident where an attacker successfully exploited the vulnerability. However, Lumen researchers say the attacker has compromised at least five victims\u2014four of whom are US-based. The victim organizations are from the managed service provider, Internet service provider, and IT sectors, Lumen said. Dark Reading has reached out for verification on the discrepancy in the victim count.<\/span><\/p>\n

In its report released today, Lumen researchers said Volt Typhoon actors use CVE-2024-39717 to drop “VersaMem,” a bespoke Web shell for capturing plaintext user credentials on affected systems. The threat actor is also using VersaMem to monitor all inbound requests to the underlying Apache Tomcat Web application server, and to dynamically load in-memory Java modules to it, they said.  <\/span><\/p>\n

“At the time of this writing, we assess the exploitation of this vulnerability is limited to Volt Typhoon and is likely ongoing against unpatched Versa Director systems,” according to the Lumen post.<\/span><\/p>\n

Protect Ports to Prevent Credential-Stealing Malware<\/h2>\n

HackerOne, through whom Versa coordinated the vulnerability disclosure, has assessed the vulnerability as being only moderately severe, with a base score of 6.6 out of 10 on the CVSS scale. The bug-bounty firm has described the vulnerability as complex to exploit and requiring high user privileges. But Versa itself has described the issue as concerning given the ability to exploit it to upload dangerous files to Versa Director, and its potential widespread footprint: “Although the vulnerability is difficult to exploit, it\u2019s rated ‘high’ and affects all Versa SD-WAN customers using Versa Director that have not implemented the system hardening and firewall guidelines.”<\/span><\/p>\n

Michael Horka, security researcher with Lumen’s Black Lotus, says that when the aforementioned Versa Director management ports 4566 and 4570 are exposed externally the vulnerability is actually fairly easy to exploit.<\/span><\/p>\n

“The management port provides unauthenticated access to the GUI, which then allows for the exploitation of CVE-2024-39717, leading to an unrestricted file upload and code execution of the [VersaMem] Web shell,” he says. “If the Versa Director management ports 4566 and 4570 are not exposed externally, then the threat actor would need to gain access to the Web interface through a different method such as credential theft, phishing, exploiting another vulnerability,” he says. “This raises the difficulty level of successful exploitation.”<\/span><\/p>\n

CISA Adds CVE-2024-39717 to Known Exploited Vuln Catalog<\/h2>\n

The attacks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2024-39717 to its catalog of <\/span>known exploited vulnerabilities<\/a><\/span>. Federal civilian executive branch agencies must apply Versa’s mitigations for the flaw by Sept. 13, or discontinue use of the technology till they can mitigate it.<\/span><\/p>\n

Volt Typhoon is a China-sponsored group that security researchers and the <\/span>US government<\/a><\/span> alike perceive as one of the most dangerous, pernicious and persistent nation state actors currently active. The group is well known for its attacks on <\/span>US critical infrastructure targets<\/a><\/span> going back to at least 2021. Many believe the threat actor has established a <\/span>hidden presence<\/a><\/span> on numerous US networks and has the potential to create widespread disruption in the event that geopolitical tensions over Taiwan escalate into a military conflict between the US and China.<\/span><\/p>\n

Researchers at Lumen uncovered the campaign when investigating traffic that suggested possible exploitation of Versa Director Servers on June 12. Their analysis showed the threat actor had compiled the Web shell in early June, and uploaded a sample to VirusTotal a few days later to see if any antivirus tools would detect it. As of today, no antivirus tools are able to detect the malware either, Lumen researchers said.<\/span><\/p>\n

Versa is urging customers to upgrade to remediated versions of the software and to check if anyone has already exploited the vulnerability in their environment. The company also wants organizations to implement its guidelines for system hardening and firewall rules to mitigate their overall risk.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

China’s notorious Volt Typhoon group has been actively exploiting a<\/p>\n","protected":false},"author":12,"featured_media":5037,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5036","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/chinas-volt-typhoon-exploits-0-day-in-versas-sd-wan-director-servers.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5036","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5036"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5036\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5037"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}