August 28, 2024 at 05:13AM
China’s Volt Typhoon group has been exploiting a zero-day bug in Versa Networks’ Director Servers to harvest credentials for future attacks. The bug, tracked as CVE-2024-39717, affects pre-22.1.4 versions and allows unauthorized access via management ports, prompting CISA to issue mitigation directives. Lumen researchers state the exploitation is likely ongoing and urge customers to upgrade software versions for protection.
From the meeting notes, it is clear that there has been active exploitation of a zero-day bug, now patched and tracked as CVE-2024-39717, in Versa Networks’ Director Servers by the China-sponsored group, Volt Typhoon. The bug affects all versions of Versa Director prior to 22.1.4, and allows attackers to intercept and harvest credentials for privileged access. The attackers gain initial access via high-availability management ports 4566 and 4570, and then escalate privileges to gain highest-level administrator credentials. Lumen Technologies’ Black Lotus Labs discovered the bug and reported it to Versa, prompting the company to issue advisories and a security bulletin.
The attacker has compromised at least five victims, including organizations in the managed service provider, Internet service provider, and IT sectors, with at least four being US-based. Lumen researchers believe the exploitation of this vulnerability is limited to Volt Typhoon and is likely ongoing against unpatched Versa Director systems. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-39717 to its catalog of known exploited vulnerabilities, with federal civilian executive branch agencies required to apply Versa’s mitigations for the flaw by a specific date or discontinue use of the technology until it can be mitigated.
It’s important for organizations using Versa SD-WAN technology to apply the provided mitigations, upgrade to remediated or hardened versions of the software, and implement system hardening and firewall rules to mitigate their overall risk. Additionally, it’s worth noting that Versa introduced a version of the Director software last year that includes hardening measures to make the system secure by default and the bug un-exploitable.