[ad_1]
Volt Typhoon, a Chinese government-backed hacker group, was found to be using Zero-day vulnerabilities In Versa Director servers, used by hosting providers and Internet service providers.
CVE-2024-39717 Was Added to CISA’s “Catalogue of Known Exploited Vulnerabilities” On August 23, Lumen Technologies discovered the vulnerability and actively exploited it.
Data from Censys Indicates that there is 163 devices Although Versa Networks released patches for Versa Director versions 21.2.3, 22.1.2, and 22.1.3, devices in the United States, Philippines, Shanghai, and India remain exposed. The security company urged users of these devices to segment them into protected networks and isolate them from the internet.
Why Cybercriminals Target Versa Director Servers
Versa Director Server enables MSPs and ISPs to centrally manage network configurations for devices running SD-WAN software. They are a popular target for hackers because they can be used to attack multiple systems.
Versa Networks rated the vulnerability as “high severity” due to the potential for large-scale attacks, despite it being relatively difficult to exploit.
CVE-2024-39717 affects all Versa Director versions prior to 22.1.4. Cybercriminals exploited the vulnerability using a custom web shell, which Black Lotus Labs, the cyber research division of Lumen Technologies, dubbed “VersaMem.” The web shell intercepts credentials that the attacker can then use to gain authorized access to other users’ networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Typhoon and is “confident” that the exploit is working, according to their Vulnerability ReportIt also said that “attacks against unpatched Versa Director systems are likely continuing.”
look: Microsoft warns Volt Typhoon is latest onslaught in global cyberwar
Versa believes that only One confirmed case It also said that customers “failed to implement system hardening and firewall guidance published in 2017 and 2015, respectively” — meaning that management ports were exposed. That port provided the threat actors with initial access without the need for the Versa Director GUI.
However, the Black Lotus Labs team said it has seen threat actors exploit the vulnerability at four US companies and one non-US company in the ISP, MSP and IT sectors since June 12. Versa said the instances based on observations by third-party providers “have not been confirmed to date.”
“The threat actor gained initial administrative access through an exposed Versa management port used for high availability (HA) pairing of Director nodes, leading to the exploitation and deployment of the VersaMem web shell,” the analysts wrote in the report.
CISA recommends that all vulnerabilities included in the catalog of known exploits be promptly remediated as part of a company’s vulnerability management practices.
How is CVE-2024-39717 exploited?
CVE-2024-39717 allows an authenticated user with elevated privileges to upload malicious files, sometimes disguised as images, and then execute harmful code. Once exploited, the vulnerability could be used to gain unauthorized access and escalate privileges.
The Volt Typhoon threat actors exploited the exposed Versa management port used for high availability pairing of Director nodes to gain privileged access to the Versa Director. They then deployed a custom web shell on the Apache Tomcat web server, gaining remote control, and then used memory injection techniques to insert malicious code into the legitimate Tomcat process. This injected code enabled them to run commands and control the infected system while blending in with normal traffic.
Finally, they modified Versa’s “setUserPassword” authentication function to intercept and capture plain-text client credentials, which could then be leveraged to compromise client infrastructure.
The web shell is also used to hook Tomcat’s “doFilter” request filtering functionality and intercept inbound HTTP requests. The threat actor can then inspect these requests for sensitive information or dynamically load Java modules in memory.
Who is Volt Typhoon?
Volt Typhoon is a Chinese government-backed hacker group that has conducted hundreds of attacks on critical infrastructure since becoming active in mid-2021. Microsoft issued a warning against the group, saying it used “live off the land” data extraction and cyber espionage techniques.
In December 2023, an FBI investigation found Large-scale botnet attacks The gang created the malware using hundreds of privately owned routers in the U.S. and its overseas territories. The following month, Justice Department investigators said the malware had been removed from the affected routers, eliminating the botnet.
Recommendations for securing your Versa Director server
Both Versa Networks and Lumen Technologies have a number of recommendations for Versa Director server users:
- Fix now: Version patch 21.2.3, 22.1.2and 22.1.3 Available.
- Application hardening best practices: Versa Networks recommends following its Firewall and System Enhancement Require.
- Check if the vulnerability has been exploited:
a) Check if there are any suspicious files in “/var/versa/vnms/web/custom_logo/”. Run the command “file -b –mime-type <.png file>” to report the file type as “image/png”.
b) Search for interactions with port 4566 on the Versa Director server from a non-Versa node IP (such as a SOHO device).
c) Check for newly created user accounts and other unusual files.
d) Review existing accounts, logs, and credentials and, if indicators of compromise are detected, triage any lateral movement attempts. - Block external access to ports 4566 and 4570: Ensure that the ports are open only between the active and standby Versa Director nodes for HA pairing traffic. Read the customer support article titled Versa Director HA Port Vulnerability – Discovery and Fix.
For more technical information, attack indicators, and recommendations, see Report From Black Lotus Labs and YARA Threat Hunting Rules.
[ad_2]
Source link
