August 27, 2024

Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.

Image: Shutterstock.com

Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is fixed in Versa Director 22.1.4 or later.

Versa said the weakness allows attackers to upload a file of their choosing to vulnerable systems. The advisory placed much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines…leaving a management port exposed on the internet that provided the threat actors with initial access.”

Versa’s advisory doesn’t say how it learned of the zero-day flaw, but its vulnerability listing at mitre.org acknowledges “there are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.”

Those third-party reports came in late June 2024 from Michael Horka, senior lead information security engineer at Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest backbones.

In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based backdoor on Versa Director systems belonging to four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the earliest known exploit activity occurring at a U.S. ISP on June 12, 2024.

“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors who would want to view or control network infrastructure at scale, or pivot into additional (or downstream) networks of interest,” Horka wrote in a blog post published today.

Black Lotus Labs said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group — including zero-day attacks targeting IT infrastructure providers, and Java-based backdoors that run in memory only.

In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze Silhouette” and “Insidious Taurus,” which described how the group uses small office/home office (SOHO) network devices to hide their activity.

In early December 2023, Black Lotus Labs published its findings on “KV-botnet,” thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.

In January 2024, the U.S. Department of Justice disclosed the FBI had executed a court-authorized takedown of the KV-botnet shortly before Black Lotus Labs released its December report.

In February 2024, CISA again joined the FBI and NSA in warning Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations — primarily in communications, energy, transportation systems, and water and wastewater sectors — in the continental and non-continental United States and its territories, including Guam.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT [operational technology] assets to disrupt functions,” that alert warned.

In a speech at Vanderbilt University in April, FBI Director Christopher Wray said China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” and that China’s plan is to “land blows against civilian infrastructure to try to induce panic.”

Ryan English, an information security engineer at Lumen, said it’s disappointing his employer didn’t at least garner an honorable mention in Versa’s security advisory. But he said he’s glad there are now a lot fewer Versa systems exposed to this attack.

“Lumen has for the last nine weeks been very intimate with their leadership with the goal in mind of helping them mitigate this,” English said. “We’ve given them everything we could along the way, so it kind of sucks being referenced just as a third party.”


12 thoughts on “New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

  1. Bob A.

    This post is astonishing, and alarming. The Chinese are preparing for war? It’s said that if you don’t trade goods, you trade bullets.I sure hope the US has something positive planned for when the Russians/Iranians/Chinese try to take down our internet.

    1. joeyboy

      They’re not just taking down our internet. They’re taking down our entire infrastructure. World War 3 will be not be fought with aircraft carriers and jet fighters. It is already being fought with keyboards.

      1. Lawrence San

        Actually, World War III will be fought with *both* analog and digital weapons. In fact… as the current wars raging around the world have shown… those are no longer separate modes, it’s one integrated battlefield now.

        – San, sanstudio.com

    2. China Number 233

      I wouldn’t be anymore alarmed then you were yesterday. China has been up to this for ages. It’s a normal part of their tactics. They even sell insecure products by design so they can breach you whenever they feel like it.

    3. Dave Smith

      You act as if the US didn’t open this Pandoras box with Stuxnet. And, as if leaks have not already proven the same has already happened in reverse, and this is just China doing the same thing in return. So by your logic, wouldn’t that be “The Americans are preparing for war?” What goes around comes around, but like usual, Americans are mad when the messed up world security state they created comes around to bite them as well. It happened with nuclear weapons, and now it’s happening with cyber. The way I see it, it’s not so much a preparation for war as it is that they are simply doing what the US, has been doing all along, just like with the “military civilian fusion” that Americans love to complain about. What’s good for the goose is good for the gander they say.

  2. Clark Huxley

    “victim in…MSP sector.” I’d love to see details emerge about this, because Versa worked with some large MSPs which may have had dozens, if not hundreds of clients using Versa systems. Versa also appears to have not invested internally in security, a quick search on LinkedIn and I can only find two full-time employees in technical security, and no CISO position at all. Versa’s leadership page shows no one technical on the leadership team, it’s the CEO, the former CEO (as CDO and “Chief Soul Officer?” and sales/marketing roles. Not even a CTO, let alone a CISO.

    1. Wannabe Techguy

      “Versa also appears to have not invested internally in security” Well, not sure they would agree. “The advisory placed much of the blame on Versa customers”. Sure blame your customers.

  3. Fr00tL00ps

    “The advisory placed much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines… “”
    Zero trust should be the default. When you provide a product that has such granular and elevated access to sensitive systems, LOCK IT DOWN!
    If the client complains that it ‘breaks things’, then the onus is on them to upskill or redesign processes so they do work, safely and securely.
    Quit the victim blaming when security is also your responsibility.

  4. Catwhisperer

    Hopefully there is something similar to a kill switch that disables the boundary nodes. The ways you can come in from anywhere in the world into the US internet are physically limited by the trunks that carry the data. Those boundary nodes are well known, and their count may be high, but is not infinite. I’ll wager we have the great firewall too, after a fashion. If we do, we just choose not to use it on a daily basis against our populace.

  5. Mahhn

    is there another way to see this other than prepping to attack/start war?
    “Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.”

    “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT [operational technology] assets to disrupt functions,”

  6. Edwin Lorenzo-Vargas

    Security researchers revealed the latest recorded zero-day attack on Versa Director Software was attributed to APT, Volt Typhoon, which focuses on the United States’ critical systems. The group targets the weaknesses of systems employed by ISPs and MSPs and seems to intend to interfere with U.S.–Asia interactions in future conflicts. An initial and severely upsetting security advisory came from Versa to patch the discovered vulnerability (CVE-2024-39717). The Black Lotuthatabs have identified backdoors in the affected system and linked the activity to the threat group, Volt Typhoon (Krebs, 2019). They are famous for Organized IT systems attacks on the first day of these systems’ utilization and Java-based hidden backdoors. They have been reported before by security organizations today, such as the NSA as well as the FBI, as a group that utilizes refined methods.

Comments are closed.