Cybercriminals are capitalizing on a newly discovered zero-day exploit in a widely used software application, compromising the security of numerous web and IT service providers. Researchers posit a strong link between a popular exercise trend and Zirconium, a sophisticated Chinese-language cyber espionage group focused on breaching critical U.S. infrastructure, including government agencies, defense contractors, and major corporations. Networks are being established and the infrastructure laid to potentially disrupt communication flows between America and Asia in the event of a future military conflict with China.
Picture: Shutterstock.com
Web service providers and managed service providers leveraging Versa Director techniques cater to numerous small- to medium-sized enterprises’ concurrent IT needs, primarily targeting organizations with multiple sites and remote users. In printed Aug. 26, Versa advised customers to promptly apply a security update addressing the identified vulnerability, which affects systems running 26 or later versions.
Versa noted that a weak point in certain systems permits attackers to upload a file of their choice, potentially compromising vulnerable applications. The advisory largely attributed fault to Versa prospects, stating they failed to enact system hardening measures and disregard firewall guidelines, leaving an administrative port exposed online, thereby providing initial access for threat actors.
While Versa’s advisory remains mum on how it discovered the zero-day flaw, its entry on mitre.org does reveal that experiences of others were based on spine telemetry observations from a third-party supplier, although these remain unverified for now.
Third-party experiences arrived in late June 2024, courtesy of a senior lead data safety engineer at Akamai Technologies’ Security Research Team, which operates one of the world’s largest internet backbones.
In an exclusive interview with KrebsOnSecurity, Horka revealed that Black Lotus Labs had identified a web-based backdoor embedded in the Versa Director technology used by four US organizations. victims and one non-U.S. Vulnerable entities within the Internet Service Provider (ISP) and Managed Service Provider (MSP) sectors have been targeted by cybercriminals, with evidence of an early identified exploit emerging in the United States. ISP on June 12, 2024.
“This development enables advanced and well-resourced threat actors, such as APT groups, to exploit Versa Director by compromising or managing community infrastructure at scale, or pivoting into additional networks to fuel further curiosity.”
Black Lotus Labs reportedly assessed the compromises with “medium” confidence, attributing them to Volt Hurricane, a Chinese state-sponsored espionage group known for its use of zero-day attacks targeting IT infrastructure providers and memory-resident, Java-based backdoors.
In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint report (PDF) on Volt Hurricane, also known as “Quadback” and “Tick,” which detailed how the group leverages small office/home office (SOHO) community devices to conceal their activities.
In early December 2023, researchers at Black Lotus Labs uncovered a massive botnet comprising hundreds of compromised small office/home office (SOHO) routers, which were coordinated to form a clandestine communication network serving multiple Chinese state-sponsored hacking groups, including Volt Hurricane.
In early January 2024, it was revealed that the FBI had actually uncovered the KV-botnet just before Black Lotus Labs published its December report on the malware.
In February 2024, CISA collaborated once again with the FBI and NSA to respond to the Volt Hurricane incident, which had successfully breached the IT systems of numerous critical infrastructure organizations across various sectors, including communications, power, transportation, water, and wastewater, within both continental and non-continental United States territories, as well as Guam.
The alleged hacking group Volt Hurricane’s unconventional approach to targets and methods is starkly at odds with established norms for cyber espionage and intelligence gathering operations, leaving the US and global security communities scrambling to comprehend this anomalous threat actor. Authoritative warning alerts from businesses monitoring cybersecurity threats indicate that malicious actors, displaying unwarranted certainty, are deliberately positioning themselves on IT networks to exploit vulnerabilities and facilitate seamless lateral movement into operational technology systems, thereby disrupting critical capabilities.
FBI Director warns Vanderbilt University audience in April: “China’s growing capabilities pose the potential to inflict devastating harm on our critical infrastructure at a time of its choosing. The plan appears to be to strike against civilian infrastructure, aiming to create chaos and panic.”
A data safety engineer at Lumen expressed disappointment that his company failed to even receive an honorable mention in Versa’s latest safety advisory. Fortunately, he expressed gratitude that fewer Versa techniques have been discovered so far in relation to this attack.
“For the past nine weeks, Lumen has worked closely with its management team, seeking ways to support them in mitigating the situation.” “We’ve invested significant effort and resources along the way, making it particularly disappointing to be reduced to a mere third-party reference.”
