Skip to main content
close search
site logo
Dive Brief

Volt Typhoon exploiting zero-day in campaign targeting ISPs, MSPs

Researchers from Black Lotus Labs warn the state-linked adversary is exploiting a vulnerability in Versa Director using custom web shells against the telecom sector.

Published Aug. 28, 2024
David Jones's headshot
Reporter
Telecom network above a city
Telecom network above a city NicoElNino via Getty Images

Dive Brief:

  • Volt Typhoon, a prolific state-linked threat actor, is exploiting a zero-day vulnerability in Versa Director servers in a campaign targeting internet service providers, managed service providers and other technology firms, researchers from Black Lotus Labs warned in a blog post Tuesday.
  • The vulnerability, listed as CVE-2024-39717, allows users to upload files that are potentially malicious and gives them advanced privileges. 
  • Black Lotus Labs researchers identified a custom webshell, which they call VersaMem, that is designed to intercept and harvest credentials and allow an attacker to gain access to a downstream computer network as an authenticated user. 

Dive Insight:

Volt Typhoon is one of the most high-profile threat actors facing the U.S. in recent memory. In January, the FBI and other federal authorities warned the China-linked actor was actively working to infiltrate critical infrastructure providers to potentially launch a diversionary attack in the event of a military escalation in the Asia-Pacific region. 

Black Lotus Labs researchers identified multiple actor-controlled small-office/home-office devices that have successfully exploited the zero-day at five targets, four of which are in the U.S., that are either internet service providers, managed service providers or IT companies. 

“The malware gives the attacker admin-level privileges and allows them to load just about anything they want,” said Michael Horka, senior lead information security researcher at Black Lotus Labs. “Their whole purpose was to remain passive and steal data.”

Horka said the threat actor could have potentially committed other acts, such as manipulating data, but that type of activity would have been harder to conceal. 

Versa Networks released a patch for the vulnerability and is working with customers to get them to apply the update and implement system hardening guidelines. The company is aware of three companies that have been compromised worldwide, including one ISP and two MSPs, according to CMO Dan Maier. 

Censys is reporting that out of 164 public hosts running the application, about 25, or about 15% of the total, are exposing a management port, according to Himaja Motheram, a security researcher at Censys. Many of these organizations are either telecom or ISPs, which are the types of companies the campaign is targeting.

Black Lotus Labs shared its findings with U.S. authorities. The Cybersecurity and Infrastructure Security Agency on Tuesday urged organizations to apply all necessary updates, check for any malicious activity and report back any confirmed results to the agency. 

CISA added the vulnerability to its known exploited vulnerabilities catalog.

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell