Chinese state-sponsored threat actors have been exploiting a zero-day vulnerability in Versa Director servers, identified as CVE-2024-39717.
This vulnerability, discovered by Black Lotus Labs at Lumen Technologies, has been actively targeted since June 2024, affecting several U.S. and international victims in the Internet service provider (ISP), managed service provider (MSP), and IT sectors.
The vulnerability exists in Versa’s software-defined wide area network (SD-WAN) applications, specifically impacting all versions of Versa Director prior to 22.1.4.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Versa Director servers are critical for managing network configurations and orchestrating SD-WAN functionalities, making them attractive targets for advanced persistent threat (APT) actors aiming to control or view network infrastructure at scale.
The attackers, attributed with moderate confidence to the Chinese groups Volt Typhoon and Bronze Silhouette, utilized a custom web shell named “VersaMem.”
This sophisticated tool intercepts and harvests credentials, enabling unauthorized access to downstream customer networks. The web shell is modular, allowing threat actors to load additional Java code that runs exclusively in-memory, significantly reducing the chances of detection.
The exploitation begins with the attackers gaining administrative access through an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, Black Lotus Labs said.
Once access is obtained, the VersaMem web shell is deployed. This web shell attaches to the primary Apache Tomcat process, leveraging the Java Instrumentation API and Javassist toolkit to modify Java code dynamically in-memory.
Key Functions of the VersaMem Web Shell:
- Credential Harvesting: Hooks into Versa’s authentication method to intercept plaintext credentials, encrypts them using AES, and writes them to disk.
- In-Memory Code Execution: Hooks into the Tomcat application filter chain to load and execute Java modules in-memory, avoiding file-based detection methods.
The exploitation has been ongoing, with initial activities traced back to June 12, 2024. Black Lotus Labs identified anomalous traffic patterns and compromised small-office/home-office (SOHO) devices used in the attacks. The attackers exploited management port 4566, typically reserved for node pairing, to establish unauthorized connections.
Given the severity of the vulnerability and the critical role of Versa Director in network management, Black Lotus Labs has urged organizations to upgrade to Versa Director version 22.1.4 or later.
Affected Systems and Versions
| Versions | Affected | Unaffected |
| 22.1.4 | None | All |
| 22.1.3 | 22.1.3 images released before June 21, 2024 hot fix. | 22.1.3 June 21, 2024 Hot Fix and later. |
| 22.1.2 | 22.1.2 image released before June 21, 2024 hot fix. | 22.1.2 June 21, 2024 Hot Fix and later. |
| 22.1.1 | All | None. Please upgrade to 22.1.3 latest version. |
| 21.2.3 | 21.2.3 images released before June 21, 2024 hot fix. | 21.2.3 June 21, 2024 and later. |
| 21.2.2 | All | None. Please upgrade to 21.2.3 latest version. |
They recommend implementing firewall rules to restrict access to management ports and following Versa Networks’ security advisories for further mitigation steps.
The Cybersecurity and Infrastructure Security Agency (CISA) strongly advises all organizations to promptly implement essential software updates and proactively search for any signs of unauthorized or malicious behavior within their network infrastructure.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial