Volt Hurricane, a Chinese language state-sponsored hacking group, has been caught exploiting a zero-day vulnerability in Versa Director servers, utilized by managed service suppliers and web service suppliers.
CVE-2024-39717 was added to CISA’s “Recognized Exploited Vulnerabilities Catalog” on Aug. 23 after Lumen Applied sciences found its lively exploitation.
Knowledge from Censys reveals that there are 163 gadgets within the U.S., Philippines, Shanghai, and India which can be nonetheless uncovered, regardless of Versa Networks releasing a patch for Versa Director variations 21.2.3, 22.1.2, and 22.1.3. The safety firm urged customers of those gadgets to section them right into a protected community and isolate them from the web.
Why cybercriminals focused Versa Director servers
Versa Director servers allow MSPs and ISPs to centrally handle community configurations for gadgets working SD-WAN software program. They current a well-liked goal for hackers as a result of they can be utilized to use a number of techniques.
Due to the potential for a large-scale assault, the vulnerability has been given a ‘’high-severity’ score by Versa Networks, regardless that it’s comparatively tough to use.
CVE-2024-39717 impacts all Versa Director variations previous to 22.1.4. Cybercriminals exploited it utilizing a custom-tailored net shell that Black Lotus Labs, the cyber analysis arm of Lumen Applied sciences, is asking “VersaMem.” The online shell intercepts credentials that attackers can then use to realize authorised entry to different person networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Hurricane with “reasonable confidence,” in keeping with their vulnerability report. It additionally mentioned that assaults are “doubtless ongoing in opposition to unpatched Versa Director techniques.”
SEE: Microsoft warns of Volt Hurricane, newest salvo in world cyberwar
Versa maintains that there has solely been one confirmed occasion of its exploitation by an Superior Persistent Menace actor. It additionally mentioned that the shopper had “did not implement system hardening and firewall tips” printed in 2017 and 2015, respectively — that means a administration port was left uncovered. This port offered the risk actor with preliminary entry with no need the Versa Director GUI.
Nonetheless, the Black Lotus Labs staff says it has recognized risk actors exploiting the vulnerability at 4 U.S. firms and one non-U.S. firm within the ISP, MSP, and IT sectors since June 12. Versa has mentioned that cases based mostly on the observations of a third-party supplier are “unconfirmed up to now.”
Of their report, the analysts wrote: “The risk actors achieve preliminary administrative entry over an uncovered Versa administration port supposed for high-availability (HA) pairing of Director nodes, which ends up in exploitation and the deployment of the VersaMem net shell.”
CISA recommends that each one vulnerabilities included within the Recognized Exploited Vulnerabilities Catalog are remediated shortly as a part of the corporate’s vulnerability administration apply.
How can CVE-2024-39717 be exploited?
CVE-2024-39717 permits authenticated customers with high-level privileges to add malicious recordsdata, typically disguised as photographs, which might then execute dangerous code. As soon as exploited, the vulnerability can be utilized to realize unauthorised entry and escalate privileges.
The Volt Hurricane risk actors gained privileged entry to Versa Director by exploiting an uncovered Versa administration port supposed for high-availability pairing of Director nodes. They then deployed a {custom} net shell on the Apache Tomcat net server, giving them distant management, earlier than utilizing reminiscence injection strategies to insert malicious code into respectable Tomcat processes. Such injected code allowed them to run instructions and management the compromised system whereas mixing in with regular site visitors.
Lastly, they modified Versa’s “setUserPassword” authentication performance to intercept and seize consumer credentials in plaintext, which they might then use to compromise consumer infrastructure.
The online shell was additionally used to hook Tomcat’s ‘doFilter’ request filtering performance and intercept inbound HTTP requests. The risk actors can then examine them for delicate info or dynamically load in-memory Java modules.
Who’s Volt Hurricane?
Volt Hurricane is a Chinese language state-sponsored hacking group that has performed a whole bunch of assaults on important infrastructure because it turned lively in mid-2021. In Might 2023, Microsoft launched a warning concerning the group that acknowledged it used “dwelling off the land” information extraction and cyber espionage strategies.
In December 2023, an FBI investigation uncovered a wide-ranging botnet assault by the gang, created from a whole bunch of privately-owned routers throughout the U.S. and its abroad territories. The next month, Division of Justice investigators mentioned that the malware has been deleted from affected routers, neutralising the botnet.
Suggestions for shielding Versa Director servers
Versa Networks and Lumen Applied sciences each make numerous suggestions to customers of Versa Director servers:
- Patch instantly: Patches for variations 21.2.3, 22.1.2, and 22.1.3 can be found.
- Apply hardening finest practices: Versa Networks recommends following its Firewall and System Hardening necessities.
- Test to see if the vulnerability has already been exploited:
a) Examine “/var/versa/vnms/net/custom_logo/” for any suspicious recordsdata. Run the command “file -b –mime-type <.png file>” to report the file kind as “picture/png.”
b) Seek for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g., SOHO gadgets).
c) Test for newly created person accounts and different irregular recordsdata.
d) Evaluation present accounts, logs, and credentials and triage any lateral motion makes an attempt if indicators of compromise are detected. - Block exterior entry to ports 4566 and 4570: Make sure the ports are solely open between the lively and standby Versa Director nodes for HA-pairing site visitors. Learn the shopper help article named Versa Director HA Port Exploit – Discovery and Remediation.
For extra technical info, indicators of compromise, and proposals, see the report from Black Lotus Labs and YARA guidelines for risk looking.
