The notorious Volt Storm, a Chinese state-sponsored hacking group, has been detected exploiting vulnerabilities in Versa Director servers, which are commonly used by managed service providers and internet service providers.
was on Aug. Following the discovery of 23 by Lumen Applied Sciences, significant energy applications were identified.
Despite patches being released by Versa Networks for versions 21.2.3, 22.1.2, and 22.1.3 of the Versa Director, vulnerabilities persist within the U.S., Philippines, Shanghai, and India, waiting to be discovered. The safety firm advised customers with these units to immediately transition them into a secure environment and disconnect them from the internet.
Cybercriminals have recently targeted Versa Director servers due to their widespread adoption in large-scale networks and the critical role they play in directing network traffic.
Versa Director servers enable managed service providers (MSPs) and internet service providers (ISPs) to centrally manage community-wide configurations for SD-WAN-enabled network devices. They currently serve as a well-liked target for hackers due to their ability to be used in a variety of methods.
Due to the potential for a large-scale assault, Versa Networks has assigned a “high-severity” ranking to this vulnerability, despite its relatively low exploitability.
The CVE-2024-39717 vulnerability affects all pre-22.1.4 versions of Versa Director, including its various iterations. Cybercriminals leveraged a bespoke NetShell dubbed “VersaMem” created by Black Lotus Labs, the cybersecurity arm of Lumen Technologies, allowing them to intercept authentication credentials and gain authorized access to other user networks.
Black Lotus Labs attributes the exploitation of CVE-2024-39717 to Volt Storm with “average confidence”, consistent with their guidelines. Accordingly, it was emphasized that unmitigated attacks continue unabated against Versa Director systems lacking the latest security patches.
The company claims to have solely fallen victim to the malicious activities of a sophisticated and persistent threat actor. The incident report noted that the customer failed to implement essential security measures, specifically neglecting system hardening and firewall configurations, as evident from warnings issued in 2017 and 2015, leaving an administrative port vulnerable and unsecured. The port provided an initial foothold for the threat actor without the Versa Director’s graphical user interface being available.
Notwithstanding, the Black Lotus Labs group claims to have identified threat actors capitalizing on the weakness in four US-based entities. firms and one non-U.S. With a presence in the firm’s operations within the ISP, MSP, and IT sectors since June 12. Versa has declared that circumstances grounded in the observations of a third-party provider remain unverified.
Risk actors exploit an unsecured Versa management port designed for high-availability Director node pairing, gaining preliminary administrative access that ultimately enables the deployment of a backdoor, namely VersaMem.
The Committee on National Security Systems (CISA) advises that all identified vulnerabilities in the Recognized Exploited Vulnerabilities Catalog be promptly remediating as an integral component of the organization’s comprehensive vulnerability management strategy.
How can CVE-2024-39717 be exploited?
The CVE-2024-39717 vulnerability enables authenticated users with elevated privileges to inject malicious content, typically masquerading as images, which can subsequently execute harmful code. As soon as a vulnerability is exploited, it can be leveraged to gain unauthorized access and elevate privileges.
Exploiting an unpatched administrative port intended for high-availability clustering in Versa Director, the Volt Storm threat actors managed to gain unauthorized access to the system. Exploiting vulnerabilities, attackers deployed a custom net shell on the Apache Tomcat server, granting remote access and paving the way for subsequent memory injection techniques to inject malicious code into running Tomcat processes. Their ability to inject malicious code enabled them to execute commands and manage the compromised system seamlessly, blending in with legitimate users.
Here is the rewritten text:
The hackers exploited a vulnerability in Versa’s “setUserPassword” function, allowing them to capture and steal user login credentials in plain text, which could then be used to breach consumer systems.
By leveraging an online shell, the ‘doFilter’ request filtering performance of Tomcat was effectively hooked, enabling the interception of inbound HTTP requests for further analysis and optimization. Risk actors can thoroughly scrutinize these modules for sensitive information and seamlessly integrate dynamic in-memory Java libraries.
Who’s Volt Storm?
The Volt Storm hacking group, allegedly sponsored by the Chinese government, has been responsible for numerous attacks on critical infrastructure since its activation in mid-2021. In May 2023, the company issued a warning regarding the group it had identified as using “living off the land” knowledge extraction and cyber espionage tactics.
In December 2023, an FBI investigation revealed a massive botnet created by a gang that compromised thousands of privately-owned routers across the United States. and its abroad territories. Next month, investigators from the Department of Justice announced that the malware had been successfully removed from compromised routers, effectively dismantling the botnet.
To ensure the integrity of Versa Director servers, implement a combination of administrative and technical safeguards.
Regularly patch and update software to prevent exploitation of known vulnerabilities. Implement robust authentication mechanisms to restrict access to authorized personnel only.
Configure logging settings to capture detailed information about system activity and security incidents. Monitor logs for suspicious patterns or anomalies that could indicate potential threats.
Use strong encryption protocols to protect data transmitted over networks. Configure firewalls to block unauthorized incoming and outgoing network traffic.
Implement role-based access control (RBAC) to restrict user privileges and prevent unauthorized changes to configurations or data. Use secure boot mechanisms to ensure the integrity of firmware updates.
Regularly back up critical system data to a secure location and test backups to ensure recoverability in case of a disaster. Implement incident response plans to quickly respond to security breaches.
Use multi-factor authentication (MFA) to add an additional layer of security for remote access to Versa Director servers.
Versa Networks and Lumen Technologies propose customized recommendations to users of Versa Director servers.
- Patches for variations, and can be found.
- Versa Networks recommends following its network and security best practices.
- Examine “/var/versa/vnms/net/custom_logo/” for any unusual or anomalous data. Run the command “file -b –mime-type <.png file>” to report the file sort as “picture/png.”
Seek out and establish connections to Versa Director servers via port 4566 from IP addresses not affiliated with Versa nodes, such as those originating from SOHO devices.
c) Verify newly created consumer accounts and identify discrepancies in unique data.
During this phase, thoroughly review existing account records, system logs, and authentication data to identify potential security breaches. If suspicious activity is discovered, prioritize and swiftly respond to contain the threat. - Ensure that only the necessary ports are opened between the active and standby Versa Director nodes to facilitate seamless High Availability (HA) pairing with visitors. What are some tips to improve my shopping experience with your store?
For additional technical information, indicators of compromise, and recommendations, refer to the resources from Black Lotus Labs and [insert relevant source here].
