Volt Typhoon exploits zero-day attacks in campaign against ISPs and MSPs

Diving certificate:

• Volt Typhoon, a prolific state-affiliated threat actor, is exploiting a zero-day vulnerability in Versa Director servers in a campaign targeting Internet service providers, managed service providers, and other technology companies. Researchers from Black Lotus Labs he warned in a blog post on Tuesday.
• The vulnerability, listed as CVE-2024-39717allows users to upload potentially malicious files and grants them extended permissions.
• Researchers at Black Lotus Labs have identified a custom webshell called VersaMem that is designed to intercept and collect credentials and allow an attacker to access a downstream computer network as an authenticated user.

Diving insight:

Volt Typhoon is one of the most prominent threat actors the United States has faced in recent times. In January FBI and other federal agencies warned that the China-linked actor was actively working to infiltrate critical infrastructure providers in order to potentially launch a diversionary attack in the event of a military escalation in the Asia-Pacific region.

Black Lotus Labs researchers have identified multiple actor-controlled devices in small offices and home offices that successfully exploited the zero-day on five targets, four of which are located in the United States and are either Internet service providers, managed service providers, or IT companies.

“The malware gives the attacker administrative privileges and allows him to load pretty much anything he wants,” said Michael Horka, senior information security researcher at Black Lotus Labs“Their sole purpose was to remain passive and steal data.”

Horka said the threat actor may have committed other acts, such as data manipulation, but that type of activity would have been more difficult to hide.

Versa Networks has released a patch for the security vulnerability and is working with customers to get them to apply the update and implement system hardening policies. The company is aware of three companies that have been compromised worldwide, including one ISP and two MSPs, according to CMO Dan Maier.

Censys reports that 164 public hosts running the applicationabout 25, or about 15% of the total, expose a management port, according to Himaja Motheram, a security researcher at Censys. Many of these organizations are either telecom or ISP companies, the type of companies the campaign is targeting.

Black Lotus Labs shared its findings with U.S. authorities. The Cybersecurity and Infrastructure Security Agency on Tuesday called on the organisations to carry out all necessary updateslook for malicious activity and report any confirmed findings back to the agency.

CISA has added the vulnerability to its catalog of known exploited vulnerabilities.