The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks.

Versa Director is a management platform ISPs and MSPs use to manage virtual WAN connections created using SD-WAN services.

The vulnerability is tracked as CVE-2024-39717 and resides in a feature allowing admins to upload custom icons to customize the Versa Director GUI. However, the flaw allowed threat actors with administrator privileges to upload malicious Java files disguised as PNG images, which can then be executed remotely.

In an advisory published yesterday, Versa says that Director versions 21.2.3, 22.1.2, and 22.1.3 are impacted by the flaw. Upgrading to the latest version, 22.1.4, will fix the vulnerability, and admins should review the vendor’s system hardening requirements and firewall guidelines.

Versa told BleepingComputer that they classify this vulnerability as a privilege elevation flaw as it was used to harvest credentials from users who logged into the system. However, other types of malware could have been used to perform different types of malicious activity on the device.

Exploited to breach networks

Researchers at Lumen’s Black Lotus Labs discovered the Versa zero-day vulnerability on June 17 after finding a malicious Java binary named ‘VersaTest.png’ uploaded from Singapore to VirusTotal.

Analysis of the file determined it was a custom Java web shell named internally as “Director_tomcat_memShell,” but dubbed by the researchers as “VersaMem”. The malware currently has 0 detections on VirusTotal and is designed specifically for Versa Directors.

After analyzing global telemetry, Black Lotus Labs detected traffic from SOHO routers exploiting a Versa vulnerability as a zero-day to deploy this web shell since June 12, 2024.

While the vulnerability requires administrator privileges, the researchers say that the threat actors were able to gain elevated privileges through an exposed Versa Director port used for high availability (HA) pairing of nodes.

Versa confirmed this to BleepingComputer, explaining that the threat actors exploited the vulnerability to steal credentials using these steps:

1. Access the exposed HA port using an NCS client and create an account with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges.
2. Exploit the zero-day vulnerability using the account created in Step #1 to planting the malicious JAR web shell used to steal credentials.
3. (Optional) Delete the account created in Step #1.
4. Harvest credentials of legitimate users who logged in subsequent to Step #2.

Versa says that the threat actors could not have exploited the flaw if the HA port was protected according to the company’s firewall guidelines. When asked why the port was open by default, Versa said it was required for the high availability feature.

Black Lotus Labs reported the flaw to Versa on July 20, who then privately alerted customers on July 26.

The custom VersaMem web shell is primarily used to steal the credentials of legitimate users to breach the targeted internal network. These stolen passwords are encrypted and saved to the /tmp/.temp.data file for later retrieval by the threat actors.

The custom web shell can also stealthily load in-memory Java byte code sent by the attackers, which is then executed in the Tomcat webserver running on the compromised Versa Director device.

Black Lotus Labs told BleepingComputer that they know of four organizations in the US and one in India impacted by the zero-day, with the threat actors breaching the network in at least one of the attacks.

“Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024,” explained Black Lotus Labs.

Customers can check if their devices were compromised by inspecting the /var/versa/vnms/web/custom_logo/ folder for suspicious files. Lumen’s Black Lotus Labs recommends admins check devices for newly created accounts and restrict access to the HA port.

The researchers have shared a complete list of IoCs related to this campaign and further steps to mitigate attacks in the report.

Volt Typhoon

The researchers linked these attacks to Volt Typhoon, aka Bronze Silhouette, based on known tactics, techniques, and procedures.

Volt Typhoon is a Chinese state-sponsored hacking group known to hijack SOHO routers and VPN devices and use them to launch stealthy attacks on targeted organizations.

The threat actors use compromised routers, firewalls, and VPN devices to blend their malicious traffic with legitimate traffic so attacks remain undetected.

In December 2023, Black Lotus Labs disclosed that the threat actors were compromising SOHO routers, VPN devices, and IP cameras to build the ‘KV-botnet,’ used to launch attacks on targeted networks. Devices compromised to host the malware in this campaign included Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.

A month later, CISA and the FBI issued a joint advisory calling on manufacturers of small office/home office (SOHO) routers to ensure their devices’ security against attacks by Volt Typhoon.

That same day, the FBI disclosed that they disrupted Volt Typhoon’s KV-botnet, which the threat actors had used to attack critical infrastructure in the US.

In February, Volt Typhoon exploited a remote code execution vulnerability in FortiOS SSL VPN to install custom malware, with over 20,000 Fortinet devices impacted by the attacks.