Threat Intel Solutions

* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)* [Threat Intelligence](/threat-intelligence)China’s Volt Typhoon Exploits 0-day in Versa’s SD-WAN Director Servers China’s Volt Typhoon Exploits 0-day in Versa’s SD-WAN Director Servers=============================================================================================================================================So far, the threat actor has compromised at least five organizations using CVE-2024-39717; CISA has added bug to its Known Exploited Vulnerability database.  [Jai Vijayan, Contributing Writer](/author/jai-vijayan)August 27, 2024 5 Min Read  Source: Pixels Hunter via Shutterstock [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers)[](/cdn-cgi/l/email-protection#dae5a9afb8b0bfb9aee799b2b3b4bbfcf9a2e8ede1a9fa8cb5b6aefa8ea3aab2b5b5b4fa9fa2aab6b5b3aea9faeaf7bebba3fab3b4fa8cbfa8a9bbfcf9a2e8ede1a9fa899ef78d9b94fa9eb3a8bfb9aeb5a8fa89bfa8acbfa8a9fcbbb7aae1b8b5bea3e793ffe8eaaeb2b5afbdb2aeffe8eaaeb2bfffe8eabcb5b6b6b5adb3b4bdffe8eabca8b5b7ffe8ea9ebba8b1ffe8ea88bfbbbeb3b4bdffe8eab7b3bdb2aeffe8eab3b4aebfa8bfa9aeffe8eaa3b5aff4ffea9effea9bffea9effea9bffe8ea99b2b3b4bbfcf9a2e8ede1a9ffe8ea8cb5b6aeffe8ea8ea3aab2b5b5b4ffe8ea9fa2aab6b5b3aea9ffe8eaeaf7bebba3ffe8eab3b4ffe8ea8cbfa8a9bbfcf9a2e8ede1a9ffe8ea899ef78d9b94ffe8ea9eb3a8bfb9aeb5a8ffe8ea89bfa8acbfa8a9ffea9effea9bb2aeaeaaa9ffe99bffe89cffe89cadadadf4bebba8b1a8bfbbbeb3b4bdf4b9b5b7ffe89cb9a3b8bfa8bbaeaebbb9b1a9f7bebbaebbf7b8a8bfbbb9b2bfa9ffe89cb9b2b3b4bbf7a9f7acb5b6aef7aea3aab2b5b5b4f7bbb9aeb3acbfb6a3f7bfa2aab6b5b3aeb3b4bdf7b4b5adf7aabbaeb9b2bfbef7eaf7bebba3f7b3b4f7acbfa8a9bbf7beb3a8bfb9aeb5a8f7a9bfa8acbfa8a9)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers&title=China’s%20Volt%20Typhoon%20Exploits%200-day%20in%20Versa’s%20SD-WAN%20Director%20Servers) China’s notorious Volt Typhoon group has been actively exploiting a zero-day bug in Versa Networks’ Director Servers, to intercept and harvest credentials to be used future attacks.The bug, now patched and tracked as CVE-2024-39717, affects all versions of Versa Director prior to 22.1.4, and has to do with a feature that lets users customize the look and feel of its graphical user interface (GUI). [Versa Director](https://versa-networks.com/documents/datasheets/versa-director.pdf) servers are a component of Versa Networks’ software-defined wide area networking (SD-WAN) technology. They allow organizations to centrally configure, manage and monitor network devices manage, traffic routing, security policies and other aspects of a SD-WAN environment. Its customers include ISPs, MSP and many larger organizations.Dan Maier, CMO at Versa, says the vulnerability can be seen as a privilege escalation bug, because the attacker is harvesting credentials to gain privileged access. He notes that attackers gain initial access to Versa Director via high-availability management ports 4566 and 4570 if they’re left open and available over the Internet.’Once the attackers gain initial access, they escalate privileges to gain highest-level administrator credentials,’ Maier says, adding that Versa has always instructed customers to limit access to such high-availability ports.Researchers from Lumen Technologies’ Black Lotus Labs [discovered the bug](https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation) and, and noted that their analysis showed the threat actor using [attacker-controlled small-office/home-office (SOHO) devices](https://www.darkreading.com/cloud-security/volt-typhoon-soho-botnet-infects-us-govt-entities)—a common Volt Typhoon tactic—to access vulnerable Versa Director systems via the management ports.Active Exploitation Since at Least June—————————————Lumen researchers reported the bug to Versa on June 21, or about nine days after they believe Volt Typhoon first began exploiting it. Versa confirmed the zero-day vulnerability and issued a customer advisory describing mitigations for the bug on July 26. The company then released a second advisory on Aug. 8 with technical details, and released a [security bulletin](https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/) on Aug. 26 more fully describing the flaw.Lumen researchers say the attacker has compromised at least five victims—four of whom are US-based. The victim organizations are from the managed service provider, Internet service provider, and IT sectors, Lumen said.In its report released today, Lumen researchers said Volt Typhoon actors use CVE-2024-39717 to drop ‘VersaMem,’ a bespoke Web shell for capturing plaintext user credentials on affected systems. The threat actor is also using VersaMem to monitor all inbound requests to the underlying Apache Tomcat Web application server, and to dynamically load in-memory Java modules to it, they said.’At the time of this writing, we assess the exploitation of this vulnerability is limited to Volt Typhoon and is likely ongoing against unpatched Versa Director systems,’ according to the Lumen post.Protect Ports to Prevent Credential-Stealing Malware—————————————————-HackerOne, through whom Versa coordinated the vulnerability disclosure, has assessed the vulnerability as being only moderately severe, with a base score of 6.6 out of 10 on the CVSS scale. The bug-bounty firm has described the vulnerability as complex to exploit and requiring high user privileges. But Versa itself has described the issue as concerning given the ability to exploit it to upload dangerous files to Versa Director, and its potential widespread footprint: ‘Although the vulnerability is difficult to exploit, it’s rated ‘high’ and affects all Versa SD-WAN customers using Versa Director that have not implemented the system hardening and firewall guidelines.’Michael Horka, security researcher with Lumen’s Black Lotus, says that when the aforementioned Versa Director management ports 4566 and 4570 are exposed externally the vulnerability is actually fairly easy to exploit.’The management port provides unauthenticated access to the GUI, which then allows for the exploitation of CVE-2024-39717, leading to an unrestricted file upload and code execution of the -[VersaMem-] Web shell,’ he says. ‘If the Versa Director management ports 4566 and 4570 are not exposed externally, then the threat actor would need to gain access to the Web interface through a different method such as credential theft, phishing, exploiting another vulnerability,’ he says. ‘This raises the difficulty level of successful exploitation.’In addition, last year Versa introduced a version of the Director software that includes hardening measures that make the system secure by default, and the bug un-exploitable. ‘Our customer base is in the midst of their upgrades to this software version,’ Maier said.CISA Adds CVE-2024-39717 to Known Exploited Vuln Catalog——————————————————–The attacks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2024-39717 to its catalog of [known exploited vulnerabilities](https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-exploited-vulnerability-catalog-versa-networks-director). Federal civilian executive branch agencies must apply Versa’s mitigations for the flaw by Sept. 13, or discontinue use of the technology till they can mitigate it.Volt Typhoon is a China-sponsored group that security researchers and the [US government](https://www.darkreading.com/cybersecurity-operations/us-govt-reportedly-trying-to-disrupt-volt-typhoon-attack-infrastructure) alike perceive as one of the most dangerous, pernicious and persistent nation state actors currently active. The group is well known for its attacks on [US critical infrastructure targets](https://www.darkreading.com/cyber-risk/volt-typhoon-ramps-up-malicious-activity-critical-infrastructure) going back to at least 2021. Many believe the threat actor has established a [hidden presence](https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure) on numerous US networks and has the potential to create widespread disruption in the event that geopolitical tensions over Taiwan escalate into a military conflict between the US and China.Researchers at Lumen uncovered the campaign when investigating traffic that suggested possible exploitation of Versa Director Servers on June 12. Their analysis showed the threat actor had compiled the Web shell in early June, and uploaded a sample to VirusTotal a few days later to see if any antivirus tools would detect it. As of today, no antivirus tools are able to detect the malware either, Lumen researchers said.Versa is urging customers to upgrade to remediated or hardened versions of the software and to check if anyone has already exploited the vulnerability in their environment. The company also wants organizations to implement its guidelines for system hardening and firewall rules to mitigate their overall risk.
[](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers)[](/cdn-cgi/l/email-protection#724d010710181711064f311a1b1c1354510a4045490152241d1e0652260b021a1d1d1c52370a021e1d1b060152425f16130b521b1c52241700011354510a404549015221365f25333c52361b001711061d00522117000417000154131f0249101d160b4f3b574042061a1d07151a06574042061a17574042141d1e1e1d051b1c1557404214001d1f57404236130019574042201713161b1c155740421f1b151a065740421b1c0617001701065740420b1d075c574236574233574236574233574042311a1b1c1354510a40454901574042241d1e06574042260b021a1d1d1c574042370a021e1d1b0601574042425f16130b5740421b1c574042241700011354510a4045490157404221365f25333c574042361b001711061d00574042211700041700015742365742331a060602015741335740345740340505055c16130019001713161b1c155c111d1f574034110b101700130606131119015f161306135f10001713111a1701574034111a1b1c135f015f041d1e065f060b021a1d1d1c5f1311061b04171e0b5f170a021e1d1b061b1c155f1c1d055f021306111a17165f425f16130b5f1b1c5f04170001135f161b001711061d005f01170004170001)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers&title=China’s%20Volt%20Typhoon%20Exploits%200-day%20in%20Versa’s%20SD-WAN%20Director%20Servers) About the Author—————- [Jai Vijayan, Contributing Writer](/author/jai-vijayan)
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill. [See more from Jai Vijayan, Contributing Writer](/author/jai-vijayan) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [Securing Your Cloud Assets](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza58&ch=SBX&cid=_upcoming_webinars_8.500001460&_mc=_upcoming_webinars_8.500001460)August 27, 2024* [Determining Exposure and Risk In The Event of a Breach](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6764&ch=SBX&cid=_upcoming_webinars_8.500001470&_mc=_upcoming_webinars_8.500001470)August 28, 2024* [Developing a Cyber Risk Assessment for the C-Suite](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_quam186&ch=SBX&cid=_upcoming_webinars_8.500001465&_mc=_upcoming_webinars_8.500001465)August 29, 2024* [Catch the Threat Before it Catches you: Proactive Ransomware Defense](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg280&ch=SBX&cid=_upcoming_webinars_8.500001469&_mc=_upcoming_webinars_8.500001469)September 5, 2024* [How to Evaluate Hybrid-Cloud Network Policies and Enhance Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi05&ch=SBX&cid=_upcoming_webinars_8.500001471&_mc=_upcoming_webinars_8.500001471)September 18, 2024[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)October 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)December 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)October 22, 2024[More Events](/events) ### Editor’s Choice[Icon with shield and keyhole, over a digital background ](/application-security/unfixed-microsoft-entra-id-authentication-bypass-threatens-hybrid-clouds)[Application Security](/application-security) [Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDs](/application-security/unfixed-microsoft-entra-id-authentication-bypass-threatens-hybrid-clouds)[Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDs](/application-security/unfixed-microsoft-entra-id-authentication-bypass-threatens-hybrid-clouds) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Aug 15, 2024 4 Min Read [SolarWinds logo on a phone held up horizontally; background is blurred out ](/vulnerabilities-threats/solarwinds-critical-rce-bug-requires-urgent-patch)[Vulnerabilities -& Threats](/vulnerabilities-threats) [SolarWinds: Critical RCE Bug Requires Urgent Patch](/vulnerabilities-threats/solarwinds-critical-rce-bug-requires-urgent-patch)[SolarWinds: Critical RCE Bug Requires Urgent Patch](/vulnerabilities-threats/solarwinds-critical-rce-bug-requires-urgent-patch) by[Dark Reading Staff](/author/dark-reading-staff) Aug 15, 2024 1 Min Read [AI code with 0s and 1s ](/application-security/darpa-aims-to-ditch-c-code-move-to-rust)[Application Security](/application-security) [DARPA Aims to Ditch C Code, Move to Rust](/application-security/darpa-aims-to-ditch-c-code-move-to-rust)[DARPA Aims to Ditch C Code, Move to Rust](/application-security/darpa-aims-to-ditch-c-code-move-to-rust) by[Robert Lemos, Contributing Writer](/author/robert-lemos) Aug 13, 2024 5 Min Read Reports* [Threat Hunting’s Evolution:From On-Premises to the Cloud](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_logr41&ch=SBX&cid=_analytics_7.300006019&_mc=_analytics_7.300006019)* [State of Enterprise Cloud Security](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6557&ch=SBX&cid=_analytics_7.300006017&_mc=_analytics_7.300006017)* [Managing Third-Party Risk Through Situational Awareness](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cybo171&ch=&cid=_analytics_7.300006016&_mc=_analytics_7.300006016)* [2024 InformationWeek US IT Salary Report](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_ingg253&ch=sbx&cid=_analytics_7.300006014&_mc=_analytics_7.300006014)* [Defending Against Critical Threats](https://www.informationweek.com/whitepaper/cybersecurity/endpoint-security/defending-against-critical-threats/429033?cid=_analytics_7.300005906&_mc=_analytics_7.300005906)[More Reports](/resources?types=Report) White Papers* [SecOps Checklist](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_senu25&ch=SBX&cid=_whitepaper_14.500005771&_mc=_whitepaper_14.500005771)* [Boston Beer Company Transforms OT Security -& Reduces Costs](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_drah15&ch=SBX&cid=_whitepaper_14.500005715&_mc=_whitepaper_14.500005715)* [OT Cybersecurity Glossary -& Quick Start Guide](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_drah14&ch=SBX&cid=_whitepaper_14.500005714&_mc=_whitepaper_14.500005714)* [Tracking the Untrackable: Taking a Proactive Approach to Emerging Risks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_audb62&ch=SBX&cid=_whitepaper_14.500005708&_mc=_whitepaper_14.500005708)* [Decode the New SEC Cybersecurity Disclosure Ruling](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_audb60&ch=SBX&cid=_whitepaper_14.500005706&_mc=_whitepaper_14.500005706)[More Whitepapers](/resources?types=Whitepaper) Events* [-[Virtual Event-] The Essential Guide to Cloud Management](https://iw-resources.informationweek.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6833&ch=iwkSBX&cid=_session_16.500323&_mc=_session_16.500323)October 17, 2024* [Black Hat Europe – December 9-12 – Learn More](https://www.blackhat.com/upcoming.html#europe?cid=_session_16.500321&_mc=_session_16.500321)December 10, 2024* [SecTor – Canada’s IT Security Conference Oct 22-24 – Learn More](https://www.blackhat.com/sector/2024/?cid=_session_16.500320&_mc=_session_16.500320)October 22, 2024[More Events](/events)

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 51 – Information

NAICS: 928 – National Security And International Affairs

NAICS: 924 – Administration Of Environmental Quality Programs

BRONZE SILHOUETTE

Volt Typhoon

Associated Indicators: