One cybersecurity company believes that the China-linked threat actor known as Volt Typhoon is responsible for an attack that leveraged a zero-day vulnerability in Versa Director, a management platform used by internet service providers (ISPs) and managed service providers (MSPs) to manage virtual WAN connections.
So far, the cybersecurity company is aware of five ISPs/MSPs that have been breached, four of which are located in the U.S.
The vulnerability, designated CVE-2024-39717, lies in a seemingly harmless feature that allows users with administrative privileges to upload images to customize the interface’s theme. However, this feature improperly allows malicious Java files, disguised as PNG images, to be uploaded which can be subsequently executed remotely by the threat actor.
Versa, the company behind Versa Director, has confirmed that the threat actor was able to obtain administrative privileges, a requirement of CVE-2024-39717, by accessing the exposed high availability (HA) port on Versa Director devices which is open by default. The threat actor used this access to create an administrator-level account and upload a webshell by exploiting CVE-2024-39717. After successful exploitation, the threat actor covered their tracks by deleting the rogue account and harvested the credentials of legitimate users who logged into the device via the implanted webshell.
The researchers attributed the Versa Director attacks to Volt Typhoon since the tactics, techniques, and procedures observed during this campaign are similar to those previously associated with the threat actor. Volt Typhoon, for example, is known to hijack SOHO routers and VPN devices and use them to launch stealthy attacks on targeted organizations.
Source: Bleeping Computer
Analysis
While Versa argues that this attack would not have been possible had victims protected the HA port according to its guidelines, the real problem is that Versa did not implement the proper amount of input validation on the image upload feature.
Threat actors have used this technique for years to compromise and deface public forums, social media accounts, and other online mediums. As a result, most platforms have enabled input validation that ensures users can only upload benign files, not malware in disguise, to avoid this type of scenario.
Field Effect cannot independently confirm whether Volt Typhoon was indeed the threat actor behind this attack. Regardless, users of Versa Director should secure vulnerable devices as soon as possible to mitigate the risk this vulnerability poses no matter the threat actor exploiting it.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Versa Director. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected Versa Director versions update to the latest version as soon as possible, in accordance with the advisory.
Furthermore, Versa Director users should check the /var/versa/vnms/web/custom_logo/ folder for suspicious Java files as these could be webshells.
Finally, users should audit devices for newly created accounts and restrict access to the HA port on ports 4566 and 4570.
Related Articles
