China-linked APT Volt Typhoon exploited a zero-day vulnerability, tracked as CVE-2024-39717, in Versa Director, to deploy a custom webshell on breached networks.
Versa Director is a centralized management and orchestration platform used primarily by Internet Service Providers (ISPs) and Managed Service Providers (MSPs) to manage and monitor Software-Defined Wide Area Networks (SD-WANs).
The vulnerability CVE-2024-39717 resides in the “Change Favicon” feature in Versa Director’s GUI, it allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Although details are limited, Versa Networks confirmed one case where the vulnerability was exploited due to a customer’s failure to implement recommended firewall guidelines.
“This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.” reads the advisory published by Versa Networks.
This oversight allowed the attacker to exploit the vulnerability without needing to access the GUI. Threat actors uploaded a custom webshell to target systems to steal credentials. The company confirmed that at least one APT group actively exploited the flaw in the wild.
The vulnerability impacts Versa Director versions 22.1.3, 21.2.3, 22.1.2.
Researchers at Lumen’s Black Lotus Labs discovered a zero-day vulnerability in Versa Director on June 17. The experts spotted a malicious Java binary named “VersaTest.png” uploaded from Singapore to VirusTotal. The file was analyzed and found to be a custom Java web shell, internally named “Director_tomcat_memShell” and referred to by researchers as “VersaMem.” This malware, designed specifically for Versa Director, currently has zero detections on VirusTotal.
Black Lotus Labs detected unusual traffic indicating the exploitation of several U.S. Versa Director servers between June 12 and mid-July 2024. The initial access to these compromised systems was likely through port 4566, typically used for high-availability (HA) pairing between Versa nodes. The compromised systems showed brief TCP traffic on port 4566, followed by extended HTTPS sessions on port 443, which is unusual for legitimate traffic from non-Versa nodes like SOHO devices.
This pattern suggests a successful exploitation, leading to the use of the VersaMem web shell. The researchers identified four U.S. victims and one non-U.S. victim, mainly in the ISP, MSP, and IT sectors, with the earliest exploitation detected at a U.S. ISP on June 12, 2024.
“Black Lotus Labs identified a unique, custom-tailored web shell that is tied to this vulnerability, which we call “VersaMem.” The web shell’s primary purpose is to intercept and harvest credentials which would enable access into downstream customers’ networks as an authenticated user. VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory. Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024.” reads the report published by Black Lotus Labs. “The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.”
The VersaMem web shell is a sophisticated, custom-tailored JAR web shell designed to target Versa Director systems. The malware is developed through Apache Maven, it was built on June 3, 2024, and attaches itself to the Apache Tomcat process on execution. The malicious code uses the Java Instrumentation API and Javassist toolkit to modify Java code in memory, avoiding detection.
The web shell supports two primary functions: capturing plaintext user credentials and dynamically loading Java classes in memory. It intercepts credentials by hooking into Versa’s “setUserPassword” method, encrypting and storing them on disk. It also hooks into the “doFilter” method of the Tomcat web server to inspect and dynamically load malicious Java modules based on specific parameters. The malware operates directly in memory, it doesn’t modify files on disk to avoid detection
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant.” concludes the report that includes Indicators of Compromise (IoCs). “Black Lotus Labs assesses this exploitation activity was ongoing as of at least early August 2024”
The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.
In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.
The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.
U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.
The US agencies also released a technical guide containing recommendations on how to identify and mitigate living off the land techniques adopted by the APT group.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Volt Typhoon)