China's Volt Typhoon Suspected Of Exploiting Versa Bug
Arthur T Knackerbracket has processed the following story:
This vulnerability, tracked as CVE-2024-39717, is being abused to plant custom, credential-harvesting web shells on customers' networks, according to Black Lotus Labs.Lumen Technologies' security researchers have attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems."
Volt Typhoon is the Beijing-backed cyberspy crew that the feds have accused of burrowing into US critical infrastructure networks while readying "disruptive or destructive cyberattacks" against these vital systems.
Versa Director is a software tool that allows for the central management and monitoring of Versa SD-WAN software. It's generally used by internet service providers (ISPs) and managed service providers (MSPs) to maintain their customers' network configurations - and this makes it an attractive target for cybercriminals because it gives them access to the service providers' downstream customers.
That appears to be the case with this CVE, as Versa notes the attacks target MSPs for privilege escalation.
[...] Versa has since released a patch, and encourages all customers to upgrade to Versa Director version 22.1.4 or later and apply the hardening guidelines. But the advice comes too late for some, as we're told: "This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor."
[...] "Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024," the threat hunters noted.
After gaining access to the victims' networks via the exposed Versa management port, the attackers deployed the VersaMem web shell, which steals credentials and then allows Volt Typhoon to access the service providers' customers' networks as authenticated users.
"VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory," the security shop added.
Read more of this story at SoylentNews.