Skip to content
All about cybersecurity.All about technology.PoliticsGeneral-news

ISPs and MSPs under attack from Volt Typhoon due to undiscovered vulnerabilities they are leveraging

State-sponsored hackers are leveraging a flaw in Versa Director through custom web shells, according to specialists from Black Lotus Labs, posing a threat to the telecommunications industry.

 and  Administrator
4 min read
Hurricane Volt leverages unidentified vulnerabilities in a series of attacks aimed at Internet...
Hurricane Volt leverages unidentified vulnerabilities in a series of attacks aimed at Internet Service Providers and Managed Service Providers.

ISPs and MSPs under attack from Volt Typhoon due to undiscovered vulnerabilities they are leveraging

A critical vulnerability, CVE-2024-39717, has been identified in Versa Director servers. This vulnerability, currently being exploited by the high-profile threat actor Volt Typhoon, allows users to upload potentially malicious files and gain advanced privileges, including admin-level access [1][2][3].

The Threat Posed by Volt Typhoon

Volt Typhoon, a state-linked threat actor, is known for its activities targeting critical infrastructure providers. In January, the FBI and other federal authorities warned that Volt Typhoon was actively working to infiltrate such providers [4]. The goal of Volt Typhoon's activities could potentially be a diversionary attack in the event of a military escalation in the Asia-Pacific region [5].

The Malware and Its Impact

The malware associated with this vulnerability, VersaMem, is designed to intercept and harvest credentials [6]. Once an attacker gains access through VersaMem, they can potentially access a downstream computer network as an authenticated user [7].

Steps to Protect Against the Vulnerability

Unfortunately, there is currently no available patch for CVE-2024-39717. However, organizations can take several steps to enhance their defenses against this vulnerability:

  1. Understand the Vulnerability: CVE-2024-39717 is a critical vulnerability in the Versa Director related to file upload, allowing attackers to install web shells [1][2].
  2. Implement Mitigation Strategies: Limit access to the Versa Director GUI by placing it behind a VPN or segmented network to reduce exposure to potential attacks [8].
  3. Monitor for Suspicious Activity: Regularly monitor logs for unusual activity, such as unauthorized access attempts or file uploads [9].
  4. Strengthen Access Controls: Enforce strong authentication and authorization mechanisms, including multi-factor authentication, to prevent unauthorized access [10].
  5. Regular Security Audits: Conduct periodic security audits to identify and address any vulnerabilities or misconfigurations [11].
  6. Keep Software Up-to-Date: While no patch is currently available, keep all other software up-to-date to prevent exploitation of other vulnerabilities [12].
  7. Use Detection Tools: Utilize threat detection tools to identify and respond to potential attacks, such as those related to web shell installations [13].

By following these steps, organizations can enhance their defenses against CVE-2024-39717 and similar vulnerabilities until a patch is available.

The Current Response

Versa Networks has released a patch for the vulnerability and is working with customers to apply the update and implement system hardening guidelines [14]. The Cybersecurity and Infrastructure Security Agency (CISA) urges organizations to apply all necessary updates, check for any malicious activity, and report back any confirmed results to the agency [15]. Black Lotus Labs has shared its findings with U.S. authorities [16].

The Extent of the Attacks

Researchers from Black Lotus Labs have identified multiple actor-controlled small-office/home-office devices that have successfully exploited the zero-day vulnerability at five targets. Four out of the five targets are in the U.S. and are either internet service providers, managed service providers, or IT companies [17].

Impacted Organizations

Many of these organizations are either telecom or ISPs, which are the types of companies the campaign is targeting [18]. According to CMO Dan Maier, Versa Networks is aware of three companies that have been compromised worldwide, including one ISP and two MSPs [19].

In light of these developments, it is crucial for organizations to remain vigilant and take necessary steps to protect their systems against this critical vulnerability.

[1] Michael Horka, senior lead information security researcher at Black Lotus Labs, stated that the malware allows attackers to load anything they want and gain admin-level privileges.

[2] The vulnerability allows users to upload potentially malicious files and gain advanced privileges.

[3] The malware's primary purpose is to remain passive and steal data.

[4] The FBI and other federal authorities warned that Volt Typhoon was actively working to infiltrate critical infrastructure providers.

[5] The goal of Volt Typhoon's activities could potentially be a diversionary attack in the event of a military escalation in the Asia-Pacific region.

[6] Researchers from Black Lotus Labs have identified a custom webshell, VersaMem, designed to intercept and harvest credentials.

[7] VersaMem allows an attacker to gain access to a downstream computer network as an authenticated user.

[8] Limit access to the Versa Director GUI by placing it behind a VPN or segmented network to reduce exposure to potential attacks.

[9] Regularly monitor logs for unusual activity, such as unauthorized access attempts or file uploads.

[10] Enforce strong authentication and authorization mechanisms, including multi-factor authentication, to prevent unauthorized access.

[11] Conduct periodic security audits to identify and address any vulnerabilities or misconfigurations.

[12] While no patch is currently available, keep all other software up-to-date to prevent exploitation of other vulnerabilities.

[13] Utilize threat detection tools to identify and respond to potential attacks, such as those related to web shell installations.

[14] Versa Networks has released a patch for the vulnerability and is working with customers to apply the update and implement system hardening guidelines.

[15] The Cybersecurity and Infrastructure Security Agency (CISA) urges organizations to apply all necessary updates, check for any malicious activity, and report back any confirmed results to the agency.

[16] Black Lotus Labs has shared its findings with U.S. authorities.

[17] Four out of the five targets are in the U.S. and are either internet service providers, managed service providers, or IT companies.

[18] Many of these organizations are either telecom or ISPs, which are the types of companies the campaign is targeting.

[19] According to CMO Dan Maier, Versa Networks is aware of three companies that have been compromised worldwide, including one ISP and two MSPs.

[20] Censys reports that out of 164 public hosts running the application, about 25, or approximately 15%, are exposing a management port.

[21] The zero-day vulnerability is listed as CVE-2024-39717.

[22] Volt Typhoon is a high-profile threat actor facing the U.S., with the FBI and other federal authorities previously warning about its activities.

[23] CISA has added the vulnerability to its known exploited vulnerabilities catalog.

Read also:

Related

Latest