China's Volt Typhoon Exploits Zero-Day in Versa's SD-WAN Director Servers

China's notorious Volt Typhoon group has been actively exploiting a zero-day bug in Versa Networks' Director Servers, to intercept and harvest credentials to be used future attacks.

The bug, now patched and tracked as CVE-2024-39717, affects all versions of Versa Director prior to 22.1.4, and has to do with a feature that lets users customize the look and feel of its graphical user interface (GUI). Versa Director servers are a component of Versa Networks' software-defined wide area networking (SD-WAN) technology. They allow organizations to centrally configure, manage and monitor network devices manage, traffic routing, security policies and other aspects of a SD-WAN environment. Its customers include ISPs, MSP and many larger organizations.

Dan Maier, CMO at Versa, says the vulnerability can be seen as a privilege escalation bug, because the attacker is harvesting credentials to gain privileged access. He notes that attackers gain initial access to Versa Director via high-availability management ports 4566 and 4570 if they're left open and available over the Internet.

"Once the attackers gain initial access, they escalate privileges to gain highest-level administrator credentials," Maier says, adding that Versa has always instructed customers to limit access to such high-availability ports.

Researchers from Lumen Technologies' Black Lotus Labs discovered the bug and, and noted that their analysis showed the threat actor using attacker-controlled small-office/home-office (SOHO) devices—a common Volt Typhoon tactic—to access vulnerable Versa Director systems via the management ports.

Active Exploitation Since at Least June

Lumen researchers reported the bug to Versa on June 21, or about nine days after they believe Volt Typhoon first began exploiting it. Versa confirmed the zero-day vulnerability and issued a customer advisory describing mitigations for the bug on July 26. The company then released a second advisory on Aug. 8 with technical details, and released a security bulletin on Aug. 26 more fully describing the flaw.

Lumen researchers say the attacker has compromised at least five victims—four of whom are US-based. The victim organizations are from the managed service provider, Internet service provider, and IT sectors, Lumen said.

In its report released today, Lumen researchers said Volt Typhoon actors use CVE-2024-39717 to drop "VersaMem," a bespoke Web shell for capturing plaintext user credentials on affected systems. The threat actor is also using VersaMem to monitor all inbound requests to the underlying Apache Tomcat Web application server, and to dynamically load in-memory Java modules to it, they said.  

"At the time of this writing, we assess the exploitation of this vulnerability is limited to Volt Typhoon and is likely ongoing against unpatched Versa Director systems," according to the Lumen post.

Protect Ports to Prevent Credential-Stealing Malware

HackerOne, through whom Versa coordinated the vulnerability disclosure, has assessed the vulnerability as being only moderately severe, with a base score of 6.6 out of 10 on the CVSS scale. The bug-bounty firm has described the vulnerability as complex to exploit and requiring high user privileges. But Versa itself has described the issue as concerning given the ability to exploit it to upload dangerous files to Versa Director, and its potential widespread footprint: "Although the vulnerability is difficult to exploit, it’s rated 'high' and affects all Versa SD-WAN customers using Versa Director that have not implemented the system hardening and firewall guidelines."

Michael Horka, security researcher with Lumen's Black Lotus, says that when the aforementioned Versa Director management ports 4566 and 4570 are exposed externally the vulnerability is actually fairly easy to exploit.

"The management port provides unauthenticated access to the GUI, which then allows for the exploitation of CVE-2024-39717, leading to an unrestricted file upload and code execution of the [VersaMem] Web shell," he says. "If the Versa Director management ports 4566 and 4570 are not exposed externally, then the threat actor would need to gain access to the Web interface through a different method such as credential theft, phishing, exploiting another vulnerability," he says. "This raises the difficulty level of successful exploitation."

In addition, last year Versa introduced a version of the Director software that includes hardening measures that make the system secure by default, and the bug un-exploitable. "Our customer base is in the midst of their upgrades to this software version," Maier said.

CISA Adds CVE-2024-39717 to Known Exploited Vuln Catalog

The attacks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2024-39717 to its catalog of known exploited vulnerabilities. Federal civilian executive branch agencies must apply Versa's mitigations for the flaw by Sept. 13, or discontinue use of the technology till they can mitigate it.

Volt Typhoon is a China-sponsored group that security researchers and the US government alike perceive as one of the most dangerous, pernicious and persistent nation state actors currently active. The group is well known for its attacks on US critical infrastructure targets going back to at least 2021. Many believe the threat actor has established a hidden presence on numerous US networks and has the potential to create widespread disruption in the event that geopolitical tensions over Taiwan escalate into a military conflict between the US and China.

Researchers at Lumen uncovered the campaign when investigating traffic that suggested possible exploitation of Versa Director Servers on June 12. Their analysis showed the threat actor had compiled the Web shell in early June, and uploaded a sample to VirusTotal a few days later to see if any antivirus tools would detect it. As of today, no antivirus tools are able to detect the malware either, Lumen researchers said.

Versa is urging customers to upgrade to remediated or hardened versions of the software and to check if anyone has already exploited the vulnerability in their environment. The company also wants organizations to implement its guidelines for system hardening and firewall rules to mitigate their overall risk.