Volt Typhoon’s Zero-Day Exploit: Versa Director Under Siege
The Chinese hacker group Volt Typhoon carried out a series of attacks exploiting a zero-day vulnerability in the Versa Director management system—a platform utilized by internet service providers to manage virtual networks.
The vulnerability, CVE-2024-39717 (CVSS score: 7.2), allows malicious files disguised as PNG images to be uploaded, granting access to corporate networks. The flaw affected versions 21.2.3, 22.1.2, and 22.1.3. Upgrading to version 22.1.4 addresses the issue, and Versa advises administrators to follow the system protection guidelines. Additionally, CISA recently added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
Researchers from Black Lotus Labs discovered the flaw in June after identifying a malicious file uploaded to VirusTotal. The attackers exploited the vulnerability to install the VersaMem web shell, which remains undetected by antivirus programs. Analysis revealed that since June 12, the web shell has been actively used to compromise SOHO routers and deploy malware.
Although administrative privileges are required to exploit the vulnerability, the hackers gained these through an exposed Versa Director port used for High Availability (HA) node functionality. The attackers created a high-privilege account, implanted a malicious web shell, and subsequently used it to steal user credentials.
Versa confirmed that the vulnerability could have been exploited to steal credentials if the HA port was not secured according to the company’s recommendations. The company also clarified that the port is open by default to enable high-availability functionality.
According to Black Lotus Labs, at least four organizations in the U.S. and one in India were affected. The attackers successfully infiltrated the internal networks of one of the companies. Experts attributed the attacks to the Volt Typhoon group, known for targeting routers and VPN devices to gain stealthy access to target networks. Previously, the group employed similar techniques to create botnets and launch attacks on critical infrastructure.
