Advanced, persistent attackers have exploited a zero-day vulnerability (CVE-2024-39717) in Versa Director to compromise US-based managed service providers with a custom-made web shell dubbed VersaMem by the researchers. The malware harvests credentials enabling the attackers to access the providers’ downstream customers’ networks as an authenticated user.
“Based on known and observed tactics and techniques, [Lumen’s] Black Lotus Labs attributes the zero-day exploitation of CVE-2024-39717 and operational use of the VersaMem web shell with moderate confidence to the Chinese state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette,” Lumen’s threat research and operations arm stated.
“At the time of this writing, we assess the exploitation of this vulnerability is limited to Volt Typhoon and is likely ongoing against unpatched Versa Director systems.”
The Volt Typhoon APT has previously targeted networks across US critical infrastructure, and the FBI has disrupted the botnet of US-based SOHO routers the group used for attacking those and other organizations.
CVE-2024-39717 exploited
Versa Director is a platform that managed service providers use for delivering Secure Access Service Edge (SASE) services to their clients. It is developed and sold by Versa Networks.
The wider public found out about CVE-2024-39717 – a vulnerability that allows users/attackers with certain privileges to upload a malicious file – on August 23, when the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog.
“The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The ‘Change Favicon’ (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image,” CISA explained.
On Monday, Versa Networks’ security research team published a security advisory about the vulnerability, released a patch for it, and confirmed that it has been exploited “in at least one known instance by an Advanced Persistent Threat actor.”
The attacks
On Tuesday, Black Lotus Labs researchers shared that they identified actor-controlled small-office/home-office (SOHO) devices exploiting the zero-day at four US victims and one non-US victim in the ISP / MSP / IT sectors as early as June 12, 2024.
“The VersaMem web shell is a sophisticated JAR web shell that was uploaded to VirusTotal on June 7, 2024, with the filename ‘VersaTest.png’ and currently has zero anti-virus (AV) detections,” they explained, and said that it’s possible that the threat actors may have been testing the web shell in the wild on non-US victims before deploying it to US targets.
VersaMem is custom-tailored to interact with Versa Director, capture plaintext user credentials and dynamically load in-memory Java modules – which explains its stealthiness.
How the attacks unfolded (Source: Black Lotus Labs)
“The initial access port for the compromised Versa Director systems was likely port 4566 which, according to Versa documentation, is a management port associated with high-availability (HA) pairing between Versa nodes,” the researchers added.
“We identified compromised SOHO devices with TCP sessions over port 4566 which were immediately followed by large HTTPS connections over port 443 for several hours.”
In its security advisory, Versa Networks repeatedly says that exploitation was possible because “impacted customers failed to implement system hardening and firewall guidelines” that were available for years, and thus left the management port exposed on the internet.
What now?
Versa advises customers to upgrade to one of the fixed version of Versa Director – 21.2.3, 22.1.2, 22.1.3, or 22.1.4 – and to implement the aforementioned system hardening and firewall guidelines.
“To identify if the vulnerability has already been exploited, customers can inspect the /var/versa/vnms/web/custom_logo/ folder for any suspicious files having been uploaded. Running the command: file -b –mime-type <.png file> should report the file type as ‘image/png’,” the company said, and urged customers to get in touch if they need help with any of these actions.
The company has previously sent guidance directly to customers in late July and early August 2024.
Lumen’s researchers have shared indicators of compromise and additional detection and mitigation steps.
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” they concluded.