Researchers have discovered Chinese state-sponsored actors exploiting a zero-day vulnerability in Versa Networks’ virtualization and service creation Director platform, in a highly targeted campaign impacting several U.S.-based victims.
The vulnerability, categorized as high severity by the National Vulnerability Database, was found in Versa Director servers (CVE-2024–39717), and was publicly disclosed Aug. 22. The bug stems from the GUI interface for Versa Director, a key component for managing SD-WAN networks, which is used by internet service providers (ISPs) and managed service providers (MSPs). In an Aug. 26 advisory, Versa Networks said the GUI flaw could allow potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges.
Researchers with Lumen Technologies’ Black Lotus Labs first uncovered exploitation activity for the flaw between June 12 and mid-July 2024, impacting five organizations across the ISP, MSP and IT sectors. They assessed with moderate confidence that the threat actor behind the attack is Volt Typhoon, a known sophisticated Chinese APT behind several campaigns this year on U.S. critical infrastructure.
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” said researchers in a Tuesday analysis.
Versa Networks customers were first warned of the activity in private security advisories sent on July 26 and Aug. 8, which contained a hotfix.
After exploitation of the flaw, threat actors deployed a unique custom webshell called “VersaMem,” which allowed them to inject malicious code on the Tomcat web server. These webshell functionalities occurred in-memory only, making the actor’s activities stealthier, said researchers.
“The VersaMem shell, both in name (“Director_tomcat_memShell”) and in functionality, is custom-tailored to interact with Versa Directors,” said researchers. “On execution, the web shell attaches to the primary Apache Tomcat (Java servlet and web server) process and takes advantage of the Java Instrumentation API and Javassist (Java bytecode manipulation toolkit) to dynamically modify Java code in-memory.”
The malware also had the ability to harvest plaintext user credentials, which could give attackers access to downstream customer networks as an authenticated user, said researchers. For MSPs, which manage platform, software, IT infrastructure and security services, and support functions for customers, this type of access is significant. Because these companies store customer data and support sensitive processes, they are in a unique position where they have trusted network connectivity and privileged access to customer systems, and government agencies like CISA have previously warned that these organizations are considered valuable targets for threat actors.
The vulnerability impacts versions of Versa Director prior to 22.1.4, and Versa Networks recommended that impacted users update to the fixed version, 22.1.4, as soon as possible. The flaw has been flagged in CISA's Known Exploited Vulnerability catalog, and federal agencies have until Sept. 13 to apply patches.
Versa Networks also urged customers to adhere to several guidelines it had published years ago, which recommended best practices for securing various ports, protocols and components for its products.
“Impacted customers failed to implement system hardening and firewall guidelines… leaving a management port exposed on the internet that provided the threat actors with initial access,” according to Versa Networks’ advisory about the vulnerability in its product. “Although the vulnerability is difficult to exploit, it’s rated ‘High’ and affects all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines.”