A group of hackers exploited a zero-day vulnerability in Versa Director—software used by a number of internet service providers (ISPs) to secure their network operations—and were able to compromise several internet companies in the U.S. and abroad, according to Black Lotus Labs, the threat research and operations arm of Lumen Technologies.
Lumen believes the attacks may come from China.
“Based on known and observed tactics and techniques, Black Lotus Labs attributes the zero-day exploitation of CVE-2024-39717 and operational use of the VersaMem web shell with moderate confidence to the Chinese state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette.” Lumen said.
Lumen's researchers identified four U.S. victims and one foreign victim. According to the Washington Post, “targets are believed to include government and military personnel working undercover and groups of strategic interest to China.”
China denied such allegations. “Volt Typhoon’ is actually a ransomware cybercriminal group who calls itself the ‘Dark Power’ and is not sponsored by any state or region,” embassy spokesman Liu Pengyu told the Washington Post. The same statement was shared by Lin Jian, spokesperson of China's Ministry of Foreign Affairs, on April 15 with the Global Times.
The exploit is “likely ongoing against unpatched Versa Director systems," according to the researchers.
According to the findings, Volt Typhoon used a specialized web shell called "VersaMem" to capture user login details. VersaMem, a complex piece of malicious software, works by attaching itself to different processes and manipulating the Java code of vulnerable servers. It operates entirely in memory, making it particularly difficult to detect.
The exploit targeted Versa Director servers. These servers are often used by internet service providers and managed service providers, making them an attractive target for threat actors seeking to extend their reach through enterprise network management setups.
Versa Networks acknowledged the vulnerability on Monday, confirming it had been exploited "in at least one known instance."
Lumen says the VersaMem web shell was first uploaded to malware aggregator VirusTotal on June 7, just days before the earliest observed exploitation. The malware was compiled using Apache Maven, with comments in Chinese characters discovered in the code. As of mid-August, it still had zero detections by antivirus software.
Brandon Wales, former executive director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), recently told The Record that Chinese hackers have improved their abilities to target key U.S. facilities and emphasized the need to increase investments in cybersecurity.
“China continues to target U.S. critical infrastructure,” he said in an interview. “The exposing of the Volt Typhoon efforts has obviously resulted in changes in tactics, the tradecraft that they're using, but we know that they are continuing every day to try to compromise U.S. critical infrastructure.”
The cybersecurity firm emphasized the severity of the vulnerability and the sophistication of the attackers.
Meanwhile, Black Lotus Labs stressed that any operation relying on Versa Director to upgrade the software “to version 22.1.4 or later."