Chinese Threat Group Volt Typhoon Identified in Versa Director Exploitation

Active exploitation of a critical zero-day vulnerability, CVE-2024-39717, in Versa Director servers has been identified by Lumen Technologies' Black Lotus Labs. This vulnerability affects several versions of Versa Director, specifically 21.2.2, 21.2.3, 22.1.1, 22.1.2, and 22.1.3. Immediate patching to version 22.1.4 or later is strongly recommended. The vulnerability allows threat actors to upload and execute malicious Java files disguised as PNG images. Black Lotus Labs discovered that the attacks began with the compromise of a Versa Director management port, port 4566. Researchers assess that "the short timeframe of TCP traffic to port 4566, immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g., a SOHO device), is a likely signature of successful exploitation." This key finding enabled researchers to review telemetry data, leading to the identification of "four U.S. victims and one non-U.S. victim in the ISP, MSP, and IT sectors, with the earliest exploitation activity occurring at a U.S. ISP on June 12, 2024." The exploitation is attributed to the Chinese threat group Volt Typhoon, a high-risk group continuously advised by U.S. agencies for the threat they pose to critical infrastructure, with compromises intended to disrupt operations. Their current targeting of internet service providers and technology organizations fits their target scope, placing a broad range of downstream customers at risk.

The technical specifics of the attack reveal that after attackers gain initial access through a management port typically used for high-availability pairing between Versa nodes, they deploy a custom-tailored JAR web shell, VersaMem, to execute malicious activities directly in memory. This web shell intercepts and harvests credentials, which could be used to further intrusions into affected networks. Black Lotus Labs explains that VersaMem's capabilities to capture credentials in plain text and dynamically load in-memory Java classes "occurs in memory only, and no Java files on disk are modified to enable the hooks." Furthermore, Versa's security bulletin has issued guidance urging customers to implement system hardening and firewall guidelines to protect against such vulnerabilities, lamenting that the compromise may be due to "Impacted customers failing to implement system hardening and firewall guidelines mentioned above, leaving a management port exposed on the internet that provided the threat actors with initial access."

The implications of this vulnerability are significant and heightened due to the activities of the Volt Typhoon, as corroborated by insights from Brian Krebs of Krebs on Security. Volt Typhoon has been actively using edge devices as a vector to infiltrate and potentially disrupt critical infrastructure across the United States. This group’s activities align with a broader pre-positioning strategy within essential service providers' networks to enable disruptive actions in future geopolitical conflicts. The Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity of CVE-2024-39717 by adding it to its Known Exploited Vulnerabilities list, urging all stakeholders to address the risk urgently.