Volt Typhoon exploiting Versa Director zero-day flaw

The notorious Chinese nation-state threat group Volt Typhoon exploited a Versa Networks zero-day vulnerability in recent attacks, according to research from Lumen Technologies.

In a report Tuesday from Lumen's Black Lotus Labs, researchers said they observed exploitation of CVE-2024-39717, a high-severity privilege escalation flaw in SD-WAN software Versa Director that was first disclosed on Aug. 22. According to Versa Networks, attackers can use the zero-day vulnerability to upload malicious files with administrator-level privileges to Versa Director servers.

Black Lotus Labs researchers said telemetry showed exploitation of CVE-2024-39717 as far back as June 12. Researchers said they attributed the activity with moderate confidence to Volt Typhoon, a state-sponsored hacking group associated with the Chinese government that has been targeting critical infrastructure organizations in the U.S.

"Black Lotus Labs identified a unique, custom-tailored web shell that is tied to this vulnerability, which we call 'VersaMem.' The web shell's primary purpose is to intercept and harvest credentials which would enable access into downstream customers' networks as an authenticated user," the blog post said.

According to Lumen's report, the zero-day attacks affected four U.S. organizations and one non-U.S. organization in the ISP, MSP and IT sectors. Researchers noted that the exploitation activity stemmed from threat actor-controlled small office/home office routers, which Volt Typhoon has used in previous attacks.

In a blog post Monday, Versa Networks confirmed exploitation "in at least one known instance by an Advanced Persistent Threat actor." The vendor also said the activity was "[t]argeted at managed service providers."

TechTarget Editorial contacted Versa Networks for additional comment, but the company has not responded at press time.

Black Lotus Labs researchers noted that Volt Typhoon's zero-day attacks have "remained highly targeted" and are likely ongoing against unpatched Versa Director servers. They also warned that Versa Director servers are lucrative targets for threat actors because they can abuse the SD-WAN network infrastructure before pivoting to downstream clients.

Black Lotus Labs recommended that Versa Director users upgrade to a patched version of the software and search their networks for indicators of compromise. Researchers encouraged users to implement firewall rules and system hardening techniques that Versa Networks previously sent to customers on July 26 and Aug. 8.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.