Volt Storm, a Chinese language state-sponsored hacking group, has been caught exploiting a zero-day vulnerability in Versa Director servers, utilized by managed service suppliers and web service suppliers.
CVE-2024-39717 was added to CISA’s “Recognized Exploited Vulnerabilities Catalog” on Aug. 23 after Lumen Applied sciences found its energetic exploitation.
Knowledge from Censys exhibits that there are 163 units within the U.S., Philippines, Shanghai, and India which can be nonetheless uncovered, regardless of Versa Networks releasing a patch for Versa Director variations 21.2.3, 22.1.2, and 22.1.3. The safety firm urged customers of those units to phase them right into a protected community and isolate them from the web.
Why cybercriminals focused Versa Director servers
Versa Director servers allow MSPs and ISPs to centrally handle community configurations for units operating SD-WAN software program. They current a well-liked goal for hackers as a result of they can be utilized to use a number of techniques.
Due to the potential for a large-scale assault, the vulnerability has been given a ‘’high-severity’ score by Versa Networks, though it’s comparatively tough to use.
CVE-2024-39717 impacts all Versa Director variations previous to 22.1.4. Cybercriminals exploited it utilizing a custom-tailored internet shell that Black Lotus Labs, the cyber analysis arm of Lumen Applied sciences, is asking “VersaMem.” The net shell intercepts credentials that attackers can then use to realize authorised entry to different consumer networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Storm with “reasonable confidence,” in line with their vulnerability report. It additionally mentioned that assaults are “seemingly ongoing towards unpatched Versa Director techniques.”
SEE: Microsoft warns of Volt Storm, newest salvo in international cyberwar
Versa maintains that there has solely been one confirmed occasion of its exploitation by an Superior Persistent Menace actor. It additionally mentioned that the shopper had “didn’t implement system hardening and firewall tips” printed in 2017 and 2015, respectively — which means a administration port was left uncovered. This port supplied the risk actor with preliminary entry with no need the Versa Director GUI.
Nonetheless, the Black Lotus Labs staff says it has recognized risk actors exploiting the vulnerability at 4 U.S. corporations and one non-U.S. firm within the ISP, MSP, and IT sectors since June 12. Versa has mentioned that cases primarily based on the observations of a third-party supplier are “unconfirmed so far.”
Of their report, the analysts wrote: “The risk actors achieve preliminary administrative entry over an uncovered Versa administration port meant for high-availability (HA) pairing of Director nodes, which ends up in exploitation and the deployment of the VersaMem internet shell.”
CISA recommends that every one vulnerabilities included within the Recognized Exploited Vulnerabilities Catalog are remediated shortly as a part of the corporate’s vulnerability administration apply.
How can CVE-2024-39717 be exploited?
CVE-2024-39717 permits authenticated customers with high-level privileges to add malicious recordsdata, generally disguised as photos, which might then execute dangerous code. As soon as exploited, the vulnerability can be utilized to realize unauthorised entry and escalate privileges.
The Volt Storm risk actors gained privileged entry to Versa Director by exploiting an uncovered Versa administration port meant for high-availability pairing of Director nodes. They then deployed a {custom} internet shell on the Apache Tomcat internet server, giving them distant management, earlier than utilizing reminiscence injection methods to insert malicious code into professional Tomcat processes. Such injected code allowed them to run instructions and management the compromised system whereas mixing in with regular site visitors.
Lastly, they modified Versa’s “setUserPassword” authentication performance to intercept and seize shopper credentials in plaintext, which they might then use to compromise shopper infrastructure.
The net shell was additionally used to hook Tomcat’s ‘doFilter’ request filtering performance and intercept inbound HTTP requests. The risk actors can then examine them for delicate data or dynamically load in-memory Java modules.
Who’s Volt Storm?
Volt Storm is a Chinese language state-sponsored hacking group that has performed a whole lot of assaults on vital infrastructure because it grew to become energetic in mid-2021. In Could 2023, Microsoft launched a warning concerning the group that acknowledged it used “dwelling off the land” knowledge extraction and cyber espionage methods.
In December 2023, an FBI investigation uncovered a wide-ranging botnet assault by the gang, created from a whole lot of privately-owned routers throughout the U.S. and its abroad territories. The next month, Division of Justice investigators mentioned that the malware has been deleted from affected routers, neutralising the botnet.
Suggestions for safeguarding Versa Director servers
Versa Networks and Lumen Applied sciences each make numerous suggestions to customers of Versa Director servers:
- Patch instantly: Patches for variations 21.2.3, 22.1.2, and 22.1.3 can be found.
- Apply hardening greatest practices: Versa Networks recommends following its Firewall and System Hardening necessities.
- Test to see if the vulnerability has already been exploited:
a) Examine “/var/versa/vnms/internet/custom_logo/” for any suspicious recordsdata. Run the command “file -b –mime-type <.png file>” to report the file sort as “picture/png.”
b) Seek for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g., SOHO units).
c) Test for newly created consumer accounts and different irregular recordsdata.
d) Evaluate current accounts, logs, and credentials and triage any lateral motion makes an attempt if indicators of compromise are detected. - Block exterior entry to ports 4566 and 4570: Make sure the ports are solely open between the energetic and standby Versa Director nodes for HA-pairing site visitors. Learn the shopper assist article named Versa Director HA Port Exploit – Discovery and Remediation.
For extra technical data, indicators of compromise, and proposals, see the report from Black Lotus Labs and YARA guidelines for risk searching.