Malicious hackers exploit zero-day vulnerabilities Versa Directora software product used by many Internet and IT providers. Researchers believe the work is connected Volt Typhoona Chinese cyber espionage group focused on penetrating US sensitive networks and laying the groundwork to be able to intercept communications between the United States and Asia during any armed conflict with China.
Image: Shutterstock.com
Versa Director systems are used primarily by Internet Service Providers (ISPs), and Managed Service Providers (MSPs) that cater to the IT needs of many small to medium-sized businesses at the same time. In a security advisory published on Aug. 26, Versa urged customers to patch the vulnerability (CVE-2024-39717), which the company says has been fixed. Versa Director 22.1.4 or later.
Versa said the vulnerability allows attackers to upload a file of their choice to vulnerable systems. The advisory placed heavy blame on Versa customers who “failed to implement system security guidelines and firewalls…leaving an administrative port exposed to the Internet that gave malicious actors initial access.”
Versa’s advisory doesn’t say how it learned about the zero-day error, but its vulnerability listing on miter.org admits “there are reports by others based on basic telemetry observations from a third-party provider, but this has not been confirmed so far.”
Those third-party reports came in late June 2024 from Michael Horkasenior information security engineer at Black Lotus Labssecurity research arm of Lumen Technologieswhich serves as the main backbone of the Internet around the world.
In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based domain in the Versa Director program of four US victims and one non-US victim in the ISP and MSP sector, with the first known exploit taking place in the US ISP. June 12, 2024.
“This makes Versa Director a useful tool for advanced persistent threat (APT) actors who may want to view or control network infrastructure at scale, or penetrate additional (or downstream) networks of interest,” Horka wrote in a blog post published today.
Black Lotus Labs said it assessed with “moderate” confidence that Volt Typhoon caused the compromise, noting that the intrusion had the hallmarks of a Chinese state-sponsored espionage group – including zero-day attacks targeting IT infrastructure providers, and Java-based backdoors. which only work in memory.
In May 2023, the National Security Agency (NSA), i Federal Bureau of Investigation (FBI), and Cybersecurity Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze Silhouette” and “Unseen Taurus,” which explained how the group uses small office/home (SOHO) network devices to hide their work.
In early December 2023, Black Lotus Labs published findings on “KV-botnet,” thousands of compromised SOHO routers were wired together to form a secret data transmission network supporting various Chinese government-sponsored hacking groups, including Volt Typhoon.
In January 2024, the US Department of Justice revealed that the FBI conducted a court-ordered takedown of the KV-botnet shortly before Black Lotus Labs released its December report.
In February 2024, CISA rejoined the FBI and NSA in warning of Volt Typhoon to threaten the IT environment of many critical infrastructure organizations – particularly in the telecommunications, energy, transportation systems, and water and wastewater sectors – in the United States. Continental and non-continental states. and its territories, including Guam.
“Volt Typhoon’s choice of targets and pattern of behavior are not compatible with traditional cyber espionage or intelligence gathering activities, and the American intelligence agencies are assessing with great confidence that the actors of Volt Typhoon are placing themselves at the front of IT networks in order to be able to move together in OT. [operational technology] goods to disrupt operations,” the warning warned.
In a speech at Vanderbilt University in April, FBI Director Christopher Wray he said China is developing “the ability to damage our critical infrastructure at will,” and that China’s plan is to “attack public infrastructure to try to cause panic.”
Ryan Englishan information security engineer at Lumen, said it was disappointing that his employer did not at least speak politely to Versa’s security advice. But he said he’s glad that now a few Versa systems have been exposed in the attack.
“Lumen in the past nine weeks has been very close to his leadership with the aim of helping them reduce this,” said English. “We gave them everything we could along the way, so it’s nice to be looked at as someone else.”
Source link