Volt Storm, a Chinese language state-sponsored hacking group, has been caught exploiting a zero-day vulnerability in Versa Director servers, utilized by managed service suppliers and web service suppliers.
CVE-2024-39717 was added to CISA’s “Recognized Exploited Vulnerabilities Catalog” on Aug. 23 after Lumen Applied sciences found its lively exploitation.
Information from Censys reveals that there are 163 units within the U.S., Philippines, Shanghai, and India which are nonetheless uncovered, regardless of Versa Networks releasing a patch for Versa Director variations 21.2.3, 22.1.2, and 22.1.3. The safety firm urged customers of those units to phase them right into a protected community and isolate them from the web.
Why cybercriminals focused Versa Director servers
Versa Director servers allow MSPs and ISPs to centrally handle community configurations for units operating SD-WAN software program. They current a preferred goal for hackers as a result of they can be utilized to take advantage of a number of methods.
Due to the potential for a large-scale assault, the vulnerability has been given a ‘’high-severity’ score by Versa Networks, regardless that it’s comparatively troublesome to take advantage of.
CVE-2024-39717 impacts all Versa Director variations previous to 22.1.4. Cybercriminals exploited it utilizing a custom-tailored internet shell that Black Lotus Labs, the cyber analysis arm of Lumen Applied sciences, is asking “VersaMem.” The net shell intercepts credentials that attackers can then use to realize authorised entry to different person networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Storm with “average confidence,” in accordance with their vulnerability report. It additionally mentioned that assaults are “doubtless ongoing towards unpatched Versa Director methods.”
SEE: Microsoft warns of Volt Storm, newest salvo in world cyberwar
Versa maintains that there has solely been one confirmed occasion of its exploitation by an Superior Persistent Risk actor. It additionally mentioned that the shopper had “did not implement system hardening and firewall pointers” revealed in 2017 and 2015, respectively — which means a administration port was left uncovered. This port offered the menace actor with preliminary entry with no need the Versa Director GUI.
Nonetheless, the Black Lotus Labs workforce says it has recognized menace actors exploiting the vulnerability at 4 U.S. firms and one non-U.S. firm within the ISP, MSP, and IT sectors since June 12. Versa has mentioned that cases primarily based on the observations of a third-party supplier are “unconfirmed up to now.”
Of their report, the analysts wrote: “The menace actors acquire preliminary administrative entry over an uncovered Versa administration port meant for high-availability (HA) pairing of Director nodes, which results in exploitation and the deployment of the VersaMem internet shell.”
CISA recommends that each one vulnerabilities included within the Recognized Exploited Vulnerabilities Catalog are remediated rapidly as a part of the corporate’s vulnerability administration apply.
Should-read safety protection
How can CVE-2024-39717 be exploited?
CVE-2024-39717 permits authenticated customers with high-level privileges to add malicious recordsdata, generally disguised as photos, which may then execute dangerous code. As soon as exploited, the vulnerability can be utilized to realize unauthorised entry and escalate privileges.
The Volt Storm menace actors gained privileged entry to Versa Director by exploiting an uncovered Versa administration port meant for high-availability pairing of Director nodes. They then deployed a {custom} internet shell on the Apache Tomcat internet server, giving them distant management, earlier than utilizing reminiscence injection methods to insert malicious code into reliable Tomcat processes. Such injected code allowed them to run instructions and management the compromised system whereas mixing in with regular site visitors.
Lastly, they modified Versa’s “setUserPassword” authentication performance to intercept and seize shopper credentials in plaintext, which they might then use to compromise shopper infrastructure.
The net shell was additionally used to hook Tomcat’s ‘doFilter’ request filtering performance and intercept inbound HTTP requests. The menace actors can then examine them for delicate data or dynamically load in-memory Java modules.
Who’s Volt Storm?
Volt Storm is a Chinese language state-sponsored hacking group that has carried out a whole bunch of assaults on crucial infrastructure because it grew to become lively in mid-2021. In Could 2023, Microsoft launched a warning in regards to the group that said it used “dwelling off the land” knowledge extraction and cyber espionage methods.
In December 2023, an FBI investigation uncovered a wide-ranging botnet assault by the gang, created from a whole bunch of privately-owned routers throughout the U.S. and its abroad territories. The next month, Division of Justice investigators mentioned that the malware has been deleted from affected routers, neutralising the botnet.
Suggestions for safeguarding Versa Director servers
Versa Networks and Lumen Applied sciences each make a variety of suggestions to customers of Versa Director servers:
Patch instantly: Patches for variations 21.2.3, 22.1.2, and 22.1.3 can be found.
Apply hardening finest practices: Versa Networks recommends following its Firewall and System Hardening necessities.
Examine to see if the vulnerability has already been exploited:a) Examine “/var/versa/vnms/internet/custom_logo/” for any suspicious recordsdata. Run the command “file -b –mime-type <.png file>” to report the file kind as “picture/png.”b) Seek for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g., SOHO units).c) Examine for newly created person accounts and different irregular recordsdata.d) Evaluate present accounts, logs, and credentials and triage any lateral motion makes an attempt if indicators of compromise are detected.
Block exterior entry to ports 4566 and 4570: Make sure the ports are solely open between the lively and standby Versa Director nodes for HA-pairing site visitors. Learn the shopper assist article named Versa Director HA Port Exploit – Discovery and Remediation.
For extra technical data, indicators of compromise, and proposals, see the report from Black Lotus Labs and YARA guidelines for menace looking.