August 27, 2024 at 10:05AM
Chinese hacking group Volt Typhoon exploited a zero-day vulnerability in Versa Director to upload a destructive webshell, allowing them to steal credentials and breach corporate networks. Versa has released an advisory outlining impacted versions and the recommended upgrade to fix the issue. Lumen’s Black Lotus Labs identified the exploit and associated it with Volt Typhoon’s previous cyberattacks.
Based on the meeting notes, here are the key takeaways:
1. The Chinese state-backed hacking group Volt Typhoon is responsible for exploiting a zero-day vulnerability in Versa Director to upload a custom webshell, which was then used to steal credentials and breach corporate networks.
2. The vulnerability, tracked as CVE-2024-39717, allows threat actors with administrator privileges to upload malicious Java files disguised as PNG images, enabling remote execution.
3. Versa has confirmed that Director versions 21.2.3, 22.1.2, and 22.1.3 are impacted by the flaw and has released a fix in version 22.1.4.
4. The custom web shell, named “VersaMem,” is specifically designed for Versa Directors and has been used to steal credentials and perform malicious activities on compromised devices.
5. The threat actors were able to gain elevated privileges through an exposed Versa Director port used for high availability (HA) pairing of nodes.
6. The attacks have been linked to the tactics, techniques, and procedures of the Chinese state-sponsored hacking group Volt Typhoon, which has a history of compromising SOHO routers and VPN devices to launch stealthy attacks.
7. Customers are advised to check for signs of compromise, such as inspecting specific folders for suspicious files, and take steps to mitigate the attacks outlined in the report.
These takeaways provide a clear understanding of the security threat posed by the zero-day vulnerability in Versa Director and the actions recommended to address and mitigate the risks associated with this exploit.