Volt Storm, a Chinese language state-sponsored hacking group, has been caught exploiting a zero-day vulnerability in Versa Director servers, utilized by managed service suppliers and web service suppliers.
CVE-2024-39717 was added to CISA’s “Recognized Exploited Vulnerabilities Catalog” on Aug. 23 after Lumen Applied sciences found its energetic exploitation.
Knowledge from Censys reveals that there are 163 units within the U.S., Philippines, Shanghai, and India which can be nonetheless uncovered, regardless of Versa Networks releasing a patch for Versa Director variations 21.2.3, 22.1.2, and 22.1.3. The safety firm urged customers of those units to phase them right into a protected community and isolate them from the web.
Why cybercriminals focused Versa Director servers
Versa Director servers allow MSPs and ISPs to centrally handle community configurations for units operating SD-WAN software program. They current a well-liked goal for hackers as a result of they can be utilized to use a number of techniques.
Due to the potential for a large-scale assault, the vulnerability has been given a ‘’high-severity’ ranking by Versa Networks, despite the fact that it’s comparatively tough to use.
CVE-2024-39717 impacts all Versa Director variations previous to 22.1.4. Cybercriminals exploited it utilizing a custom-tailored net shell that Black Lotus Labs, the cyber analysis arm of Lumen Applied sciences, is looking “VersaMem.” The net shell intercepts credentials that attackers can then use to realize authorised entry to different consumer networks.
Black Lotus Labs has linked the exploitation of CVE-2024-39717 to Volt Storm with “average confidence,” in accordance with their vulnerability report. It additionally mentioned that assaults are “probably ongoing in opposition to unpatched Versa Director techniques.”
SEE: Microsoft warns of Volt Storm, newest salvo in world cyberwar
Versa maintains that there has solely been one confirmed occasion of its exploitation by an Superior Persistent Risk actor. It additionally mentioned that the client had “didn’t implement system hardening and firewall pointers” revealed in 2017 and 2015, respectively — which means a administration port was left uncovered. This port supplied the menace actor with preliminary entry with no need the Versa Director GUI.
Nevertheless, the Black Lotus Labs workforce says it has recognized menace actors exploiting the vulnerability at 4 U.S. corporations and one non-U.S. firm within the ISP, MSP, and IT sectors since June 12. Versa has mentioned that situations based mostly on the observations of a third-party supplier are “unconfirmed to this point.”
Of their report, the analysts wrote: “The menace actors acquire preliminary administrative entry over an uncovered Versa administration port supposed for high-availability (HA) pairing of Director nodes, which results in exploitation and the deployment of the VersaMem net shell.”
CISA recommends that each one vulnerabilities included within the Recognized Exploited Vulnerabilities Catalog are remediated shortly as a part of the corporate’s vulnerability administration follow.
How can CVE-2024-39717 be exploited?
CVE-2024-39717 permits authenticated customers with high-level privileges to add malicious information, typically disguised as pictures, which may then execute dangerous code. As soon as exploited, the vulnerability can be utilized to realize unauthorised entry and escalate privileges.
The Volt Storm menace actors gained privileged entry to Versa Director by exploiting an uncovered Versa administration port supposed for high-availability pairing of Director nodes. They then deployed a {custom} net shell on the Apache Tomcat net server, giving them distant management, earlier than utilizing reminiscence injection strategies to insert malicious code into reputable Tomcat processes. Such injected code allowed them to run instructions and management the compromised system whereas mixing in with regular site visitors.
Lastly, they modified Versa’s “setUserPassword” authentication performance to intercept and seize shopper credentials in plaintext, which they might then use to compromise shopper infrastructure.
The net shell was additionally used to hook Tomcat’s ‘doFilter’ request filtering performance and intercept inbound HTTP requests. The menace actors can then examine them for delicate data or dynamically load in-memory Java modules.
Who’s Volt Storm?
Volt Storm is a Chinese language state-sponsored hacking group that has carried out lots of of assaults on vital infrastructure because it grew to become energetic in mid-2021. In Might 2023, Microsoft launched a warning concerning the group that acknowledged it used “residing off the land” knowledge extraction and cyber espionage strategies.
In December 2023, an FBI investigation uncovered a wide-ranging botnet assault by the gang, created from lots of of privately-owned routers throughout the U.S. and its abroad territories. The next month, Division of Justice investigators mentioned that the malware has been deleted from affected routers, neutralising the botnet.
Suggestions for shielding Versa Director servers
Versa Networks and Lumen Applied sciences each make quite a few suggestions to customers of Versa Director servers:
- Patch instantly: Patches for variations 21.2.3, 22.1.2, and 22.1.3 can be found.
- Apply hardening finest practices: Versa Networks recommends following its Firewall and System Hardening necessities.
- Test to see if the vulnerability has already been exploited:
a) Examine “/var/versa/vnms/net/custom_logo/” for any suspicious information. Run the command “file -b –mime-type <.png file>” to report the file kind as “picture/png.”
b) Seek for interactions with port 4566 on Versa Director servers from non-Versa node IPs (e.g., SOHO units).
c) Test for newly created consumer accounts and different irregular information.
d) Overview present accounts, logs, and credentials and triage any lateral motion makes an attempt if indicators of compromise are detected. - Block exterior entry to ports 4566 and 4570: Make sure the ports are solely open between the energetic and standby Versa Director nodes for HA-pairing site visitors. Learn the client assist article named Versa Director HA Port Exploit – Discovery and Remediation.
For extra technical data, indicators of compromise, and proposals, see the report from Black Lotus Labs and YARA guidelines for menace searching.