Chinese hacker group Volt Typhoon exploited an unpatched vulnerability (CVE-2024-39717), or a zero-day flaw, in the Versa Director software—a crucial tool used by internet service providers (ISPs) and managed service providers (MSPs)—to target two ISPs, one MSP, an IT provider in the United States, and one Indian ISP.
Dubbed by researchers as VersaMem, this web shell intercepts the network and harvests credentials allowing hackers to access customers’ networks. Furthermore, this web shell is modular, allowing the threat actors to load an additional in-memory exclusive Java code.
According to researchers, the hackers sought to steal and misuse credentials from the compromised networks. Their strategy involved targeting Versa servers, which serve as key junctions, allowing the attackers to infiltrate downstream networks connected to the vulnerable servers.
“This wasn’t limited to just telecoms, but managed service providers and internet service providers,” researchers explained to TechCrunch.
They went on to further say that the attackers likely viewed these companies as prime targets due to the expansive access they could potentially offer to other networks, amplifying the threat posed by the initial breach.
In response to the discovery, Versa Networks patched the zero-day flaw as an emergency measure in late June, shortly after the vulnerability was reported.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) was notified about the security breach. They subsequently included the newly discovered vulnerability in their database of known security exploits. CISA released an advisory to emphasise the dangers associated with these types of vulnerabilities. The agency pointed out that malicious actors often target such weaknesses, posing a considerable risk to government organisations’ digital infrastructure.
China-based threat actors have a history of targeting not-so-friendly nations. In June 2024, it was reported that a Chinese state-sponsored RedJuliett was targeting organisations in more than 10 countries.
Furthermore, in July, the Australian Signals Directorate’s Australian Cyber Security Centre (CCC) and other agencies announced that the Chinese APT 40 could exploit flaws within hours, highlighting the group’s advanced technical prowess.
In July, another Chinese threat actor, Smishing Triad, was found to target Indian users via India Post phishing scams.
In August, we reported that yet another China-linked threat actor, Evasive Panda, had compromised an ISP and was using it for malicious software updates.
In the News: CrowdStrike unmasks notorious hacker USDoD
