Malicious hackers likely working on behalf of the Chinese government have been exploiting a high-severity zero-day vulnerability that allowed them to infect at least four US-based ISPs with malware that steals credentials used by downstream customers, researchers said Tuesday.
The vulnerability resides in the Versa Director, a virtualization platform that allows ISPs and managed service providers to manage complex networking infrastructures from a single dashboard, researchers from Black Lotus Labs, the research arm of security firm Lumen, said. The attacks, which began no later than June 12 and are likely ongoing, allow the threat actors to install "VersaMem,” the name Lumen gave to a custom web shell that gives remote administrative control of Versa Director systems.
Getting admin control of ISP infrastructure
The administrative control allows VersaMem to run with the necessary privileges to hook the Versa authentication methods, meaning the web shell can hijack the execution flow to make it introduce new functions. One of the functions VersaMem added includes capturing credentials at the moment an ISP customer enters them and before they are cryptographically hashed. Once in possession of the credentials, the threat actors work to compromise the customers. Black Lotus didn’t identify any of the affected ISPs, MSPs, or downstream customers.
CVE-2024-39717, as the zero-day is tracked, is an unsanitized file upload vulnerability that allows for the injection of malicious Java files that run on the Versa systems with elevated privileges. Versa patched the vulnerability Monday after Lumen privately reported it earlier. All versions of Versa Director prior to 22.1.4 are affected. To fly under the radar, the threat actor waged their attacks through compromised small office and home office routers.
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” Tuesday’s report said.
In at least a “few cases,” Black Lotus said in an email, the threat actor appeared to gain initial access to the Versa Director systems through port 4566, which Versa uses to provide what’s known as high-availability pairing between nodes. Versa’s advisory referred to these firewall requirements first released in 2015. The advisory said: “Impacted customers failed to implement system hardening and firewall guidelines mentioned above, leaving a management port exposed on the Internet that provided the threat actors with initial access.”
In Tuesday’s post, Black Lotus researchers wrote:
Black Lotus Labs initially observed anomalous traffic aligning with the possible exploitation of several US victims’ Versa Director servers between at least June 12, 2024, and mid-July 2024. Based on analysis of Lumen’s global telemetry, the initial access port for the compromised Versa Director systems was likely port 4566 which, according to Versa documentation, is a management port associated with high-availability (HA) pairing between Versa nodes. We identified compromised SOHO devices with TCP sessions over port 4566 which were immediately followed by large HTTPS connections over port 443 for several hours. Given that port 4566 is generally reserved for Versa Director node pairing and the pairing nodes typically communicate with this port for extended periods of time, there should not be any legitimate communications to that port from SOHO devices over short timeframes.
We assess the short timeframe of TCP traffic to port 4566 immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g. SOHO device) as a likely signature of successful exploitation. Searching through Lumen’s global telemetry, we identified four U.S. victims and one non-U.S. victim in the ISP, MSP and IT sectors, with the earliest exploitation activity occurring at a US ISP on June 12, 2024.
Not detected by AV
VersaMem has a modular design, meaning it supports the loading of multiple modules that serve various purposes depending on the threat actor’s objectives for each compromise. To date, Black Lotus has identified only one module—the one that hooks into the Versa Director authentication and steals credentials. When this post went live, VersaMem wasn’t detected as malicious by any of the major endpoint protection platforms. The researchers said they hope Tuesday’s report may help network defenders identify additional modules used in the campaign.
The code responsible for stealing credentials and performing other functions runs solely in memory. By eliminating the requirement that files be stored on disk, the in-memory design lessens the chances of infections being detected.
To further lessen the chances of detection, the threat actors used compromised home and small-office routers to exploit the Versa Director systems. Proxying attacks through such devices is a favorite tactic of both China- and Russia-state hackers. In January, the FBI surreptitiously sent commands to hundreds of such routers to remove malware left by Chinese hackers. Threat actors working for the Chinese government have continued actively using the tactic since then.Based on the tactics, techniques, and procedures observed in the hacks, Black Lotus said it has moderate confidence they’re the work of Volt Typhoon, the name used to track a China-state hacker group that’s among the world’s most active and sophisticated.
Earlier this year, officials with the US Cybersecurity and Infrastructure Security Agency (CISA) said that Volt Typhoon was maintaining a foothold inside the networks of multiple US critical infrastructure organizations, including those in communications, energy, transportation, and water and wastewater sectors. CISA said that the hackers were pre-positioning themselves inside IT environments to enable disruption operations across multiple critical infrastructure sectors in the event of a crisis or conflict with the US. The officials said the hackers had been present in some of the networks for as long as five years.Organizations that use Versa Director should read the indicators of compromise in the Black Lotus post to check if their systems have also been targeted.