The China-linked Advanced Persistent Threat (APT) group known as Volt Typhoon has been discovered exploiting a zero-day vulnerability in Versa Director, a critical network management platform. This development highlights the ongoing cybersecurity threats faced by critical infrastructure sectors.
The Vulnerability: CVE-2024-39717
The zero-day vulnerability, CVE-2024-39717, affects the “Change Favicon” feature in Versa Director’s graphical user interface (GUI). This flaw allows authenticated users with specific privileges to upload malicious files disguised as PNG images. Versa Networks, the company behind Versa Director, has confirmed at least one instance of the vulnerability being exploited due to a customer’s failure to implement recommended firewall guidelines.
Versa Director: A Critical Target
Versa Director is a centralized management and orchestration platform primarily used by Internet Service Providers (ISPs) and Managed Service Providers (MSPs) to manage Software-Defined Wide Area Networks (SD-WANs). The platform’s critical role in network infrastructure makes it an attractive target for cyber attackers.
Discovery and Analysis
Researchers at Lumen’s Black Lotus Labs discovered the vulnerability on June 17, 2024. They identified a malicious Java binary named “VersaTest.png” uploaded from Singapore to VirusTotal. Further analysis revealed this file as a custom Java web shell, internally called “Director_tomcat_memShell” and dubbed “VersaMem” by the researchers.
VersaMem: A Sophisticated Web Shell
VersaMem is a highly sophisticated, custom-tailored JAR web shell specifically designed to target Versa Director systems. Key features of VersaMem include:
- Built using Apache Maven on June 3, 2024
- Attaches to the Apache Tomcat process upon execution
- Uses Java Instrumentation API and Javassist toolkit for in-memory code modification
- Captures plaintext user credentials
- Dynamically loads Java classes in memory
- Operates entirely in memory to avoid detection
Exploitation Campaign
Black Lotus Labs detected unusual traffic patterns indicating the exploitation of several U.S. Versa Director servers between June 12 and mid-July 2024. The researchers identified five victims, four in the U.S. and one outside, primarily in the ISP, MSP, and IT sectors. The earliest exploitation was detected at a U.S. ISP on June 12, 2024.
Volt Typhoon: A Persistent Threat
Volt Typhoon has been active since at least mid-2021, focusing on cyber operations against critical infrastructure. The group has targeted organizations in various sectors, including:
- Communications
- Manufacturing
- Utility
- Transportation
- Construction
- Maritime
- Government
- Information Technology
- Education
Tactics and Techniques
Volt Typhoon is known for its sophisticated approach to cyberattacks:
- Extensive use of living-off-the-land techniques
- Hands-on-keyboard activity to evade detection
- Routing malicious traffic through compromised SOHO network devices
- Reliance on customized versions of open-source tools for command and control (C2) communications
Implications for Critical Infrastructure
U.S. agencies have expressed concern about Volt Typhoon’s activities, particularly the potential for the group to:
- Gain access to critical infrastructure networks
- Cause disruptive effects during geopolitical tensions or military conflicts
- Establish footholds within networks to secure access to Operational Technology (OT) assets
Mitigation and Response
In response to the threat posed by Volt Typhoon, U.S. agencies have released a technical guide containing recommendations on how to identify and mitigate the living off the land techniques adopted by the APT group. Organizations using Versa Director are urged to implement the recommended firewall guidelines and keep their systems updated.