New zero-day attacks linked to China’s “Volt Typhoon” – Krebs on Security

Malicious hackers exploit a zero-day vulnerability in Versa Directora software product used by many Internet and IT service providers. Researchers believe that the activity with Volt Typhoona Chinese cyber espionage group whose goal is to infiltrate critical U.S. networks and lay the foundation for the ability to disrupt communications between the United States and Asia in the event of a future armed conflict with China.

Versa Director systems are primarily used by Internet service providers (ISPs) and managed service providers (MSPs), which also serve the IT needs of many small and medium-sized businesses. In a security advisory published on August 26, Versa urged its customers to install a patch for the vulnerability (CVE-2024-39717), which the company says exists in VersaDirector 22.1.4 or later.

Versa says the vulnerability allows attackers to upload arbitrary files to vulnerable systems. The blame is largely placed on Versa customers who “failed to implement system hardening and firewall policies… leaving an administration port open on the Internet that allowed attackers to gain initial access.”

Versa’s alert does not specify how the company learned about the zero-day vulnerability, but the mitre.org vulnerability list states that “there are reports of additional vulnerabilities based on third-party backbone telemetry observations, but these are currently unconfirmed.”

These third-party reports came at the end of June 2024 from Michael HorkaSenior Information Security Engineer at Black Lotus Labsthe security research branch of Lumen Technologieswhich operates one of the largest backbones of the global Internet.

In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based backdoor on Versa Director systems of four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the earliest known exploit activity occurring on June 12, 2024 at a U.S. ISP.

“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors seeking to view or control the network infrastructure at scale or to gain access to additional (or downstream) networks of interest,” Horka wrote in a blog post published today.

Black Lotus Labs said it had a “medium” level of confidence that Volt Typhoon was responsible for the attacks, saying the intrusions bore the hallmarks of the Chinese state-sponsored espionage group, including zero-day attacks on IT infrastructure providers and Java-based backdoors that only run in memory.

In May 2023 National Security Agency (NSA), the Federal Office of Investigation (FBI) and the Agency for Cybersecurity Infrastructure Security (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze silhouette” And “Insidious bull“, which describes how the group uses network devices in small office/home office (SOHO) settings to hide its activities.

In early December 2023, Black Lotus Labs published its findings on “KV botnet”, thousands of compromised SOHO routers interconnected to form a covert data transmission network that supported various Chinese state-sponsored hacker groups, including Volt Typhoon.

In January 2024, the US Department of Justice announced that the FBI had conducted a court-ordered takedown of the KV botnet shortly before the release of Black Lotus Labs’ December report.

In February 2024, CISA again joined the FBI and NSA in warning that Volt Typhoon had compromised the IT environments of several critical infrastructure organizations—primarily in communications, energy, transportation systems, and water and wastewater—in the continental and non-continental United States and its territories, including Guam.

“Volt Typhoon’s target selection and behavior pattern are inconsistent with traditional cyber espionage or intelligence operations, and U.S. authorities believe it is highly likely that Volt Typhoon actors pre-positioned themselves in IT networks to enable lateral movement into OT. [operational technology] “Systems may malfunction,” warned this warning.

In a speech at Vanderbilt University in April, FBI Director Christopher Wray said China is developing the “capability to physically wreak havoc on our critical infrastructure at a time of its choosing” and that China’s plan is to “launch strikes against civilian infrastructure to induce panic.”

Ryan Englishan information security engineer at Lumen, said it was disappointing that his employer did not receive at least an honorable mention in Versa’s security advisory, but he was glad that far fewer Versa systems were now exposed to the attack.

“Lumen has been working very closely with leadership over the last nine weeks to help them mitigate the situation,” English said. “We gave them everything we could, so it’s kind of silly to just be mentioned as a third party.”