Threat Intel Solutions

[Cyberwarfare / Nation-State Attacks](https://www.govinfosecurity.com/cyberwarfare-nation-state-attacks-c-420) , [Fraud Management -& Cybercrime](https://www.govinfosecurity.com/fraud-management-cybercrime-c-409) , [Network Performance Monitoring -& Diagnostics](https://www.govinfosecurity.com/network-performance-monitoring-diagnostics-c-454)Chinese Nation-State Attackers Tied to Versa Zero-Day Hit=========================================================Targeted Versa Software Used by Service Providers to Manage Wide Area Networks [Mathew J. Schwartz](https://www.govinfosecurity.com/authors/mathew-j-schwartz-i-892) ([euroinfosec](https://www.twitter.com/euroinfosec)) • August 28, 2024 [](https://www.bankinfosecurity.com/chinese-nation-state-attackers-tied-to-versa-zero-day-hit-a-26152#disqus_thread) * * * * * [Credit Eligible](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* [](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* Get Permission*  Chinese nation-state hackers are exploiting a Versa Director zero-day. (Image: Shutterstock)Chinese nation-state hackers are exploiting a zero-day flaw in a tool used to manage and monitor network infrastructure, security researchers warned.**See Also:** [Defeat Ransomware: Free Readiness Guide](https://www.govinfosecurity.com/whitepapers/defeat-ransomware-free-readiness-guide-w-14148?rf=RAM_SeeAlso)The targeted tool, Versa Director from California-based Versa Networks, is used by a number of internet service providers, managed service providers and IT firms to deploy, configure and monitor network infrastructure across locations, including via software-defined wide area networks.Versa issued private security alerts directly to all customers on July 26 and Aug. 8, advising them to immediately patch the vulnerability by updating to the latest versions of Versa Director: 21.2.3, 22.1.2 and 22.1.3.The company first publicly detailed the vulnerabilities Monday in a security alert that [says](https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/ ), ‘We are actively working with all customers to ensure the patch and system hardening guidelines are applied.’On Tuesday, attack surface management platform Censys [reported](https://censys.com/cve-2024-39717/) still seeing 163 exposed devices online.The flaw, tracked as [CVE-2024-39717](https://nvd.nist.gov/vuln/detail/CVE-2024-39717), was discovered and reported to Versa by Louisiana-based Lumen Technologies’ threat intelligence group Black Lotus Labs. The U.S. Cybersecurity and Infrastructure Security Agency [added](https://www.cisa.gov/known-exploited-vulnerabilities-catalog ) the vulnerability to its Known Exploited Vulnerabilities Catalog on Friday, reflecting that the flaw is being successfully exploited in the wild.The U.S. National Vulnerability Database says the risk posed by the vulnerability is ‘high,’ meaning it can be remotely exploited to take full control of a system. Attackers often chain vulnerabilities together to give their attacks greater reach.Based on attackers’ tactics, techniques and procedures, Black Lotus Labs [attributed](https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/) the zero-day exploit campaign ‘with moderate confidence’ to the Beijing cyberespionage group [Volt Typhoon](/blogs/how-long-will-fbis-volt-typhoon-router-interdiction-stick-p-3558), aka Bronze Silhouette, and said the attacks are ‘likely ongoing against unpatched Versa Director systems.’The threat intelligence group warned that the hacking campaign could have ‘highly significant’ repercussions, ‘given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network and the potential consequences of a successful compromise.’ The security researchers have published indicators of compromise, allowing all Versa Director users to search for signs of malicious activity.Black Lotus Labs said its telemetry suggests the flaw has already been exploited in small office or home-office – aka SOHO – devices being used by four U.S. organizations and one organization abroad that are in the ISP, MSP or IT sectors. The earliest exploitation began on June 12, and attackers’ access persisted until mid-July.A Chinese official denied his government has any connection to the exploitation campaign, The Washington Post [reported](https://www.washingtonpost.com/technology/2024/08/27/chinese-government-hackers-penetrate-us-internet-providers-spy/).The Versa Director vulnerability can be exploited by attackers to upload a dangerous file ‘that allows administrators with ‘Provider-Data-Center-Admin’ or ‘Provider-Data-Center-System-Admin’ privileges to customize the user interface,’ CISA said. ‘The ‘change favicon’ (favorite icon) enables the upload of a `.png` file, which can be exploited to upload a malicious file with a `.png` extension disguised as an image.’By exploiting the vulnerability, ‘threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell,’ it said.Black Lotus Labs said the VersaMem Java archive – aka JAR – web shell injects code into Apache Tomcat web server processes in Versa Director and then can ‘capture plaintext user credentials’ as well as ‘dynamically load in-memory Java classes.’ This is all done in-memory, which make the malicious activity more difficult to spot. The web shell was first uploaded to malicious content analysis platform VirusTotal on June 7 with the filename `Versatest.png`. That was five days prior to the earliest known exploitation, it said.Versa said the ‘dangerous file type upload vulnerability’ remains ‘difficult to exploit,’ in part due to the relatively high level of privileges an attacker would need, but it also acknowledged the flaw ‘has been exploited in at least one known instance by an advanced persistent threat actor.’While the vulnerability is present in previous versions of Versa Director, users are only at risk if they haven’t implemented [firewall guidance](https://docs.versa-networks.com/Getting_Started/Deployment_and_Initial_Configuration/Deployment_Basics/Firewall_Requirements ) and [system hardening requirements](https://docs.versa-networks.com/Solutions/System_Hardening) Versa has published since 2015 and 2017, respectively, the company said.All customers whose Versa Director software was exploited ‘failed to implement’ those recommendations, Versa said, which left ‘a management port exposed on the internet that provided the threat actors with initial access.’Black Lotus Labs credited the discovery and analysis of the zero-day vulnerability to Michael Horka, its senior lead information security engineer, who formerly served as an FBI special agent on the bureau’s Cyber Task Force.The threat research group said it’s making the vulnerability details public after Versa directly notified customers about the flaw – twice – in part because attackers still appear to be attempting to target and compromise unpatched devices to hack into victims’ networks.’This is privileged, high-level connectivity to interesting customers,’ Horka told The Washington Post.  #### [Mathew J. Schwartz](https://www.govinfosecurity.com/authors/mathew-j-schwartz-i-892)*Executive Editor, DataBreachToday -& Europe, ISMG* Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.[](https://twitter.com/euroinfosec) [](mailto:mschwartz@ismg.io)  [whitepaper](https://www.govinfosecurity.com/whitepapers/how-to-hunt-threats-like-elite-defenders-open-ndr-mitre-attck-w-13859?rf=RAM_Resources)##### [How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT-&CK®](https://www.govinfosecurity.com/whitepapers/how-to-hunt-threats-like-elite-defenders-open-ndr-mitre-attck-w-13859?rf=RAM_Resources) ##### [OnDemand -| Where Did the Hackers Go? They Ran(somware): Insights into Ransomware Recovery](https://www.govinfosecurity.com/webinars/ondemand-where-did-hackers-go-they-ransomware-insights-into-ransomware-w-4932?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/lateral-movement-in-real-world-quantitative-analysis-w-12201?rf=RAM_Resources)##### [Lateral Movement in the Real World: A Quantitative Analysis](https://www.govinfosecurity.com/whitepapers/lateral-movement-in-real-world-quantitative-analysis-w-12201?rf=RAM_Resources) ##### [OnDemand -| Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products](https://www.govinfosecurity.com/webinars/ondemand-hacking-multifactor-authentication-pros-lessons-learned-after-w-4639?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/5-ways-exabeam-helps-eliminate-compromised-credential-blindspots-w-10986?rf=RAM_Resources)##### [5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots](https://www.govinfosecurity.com/whitepapers/5-ways-exabeam-helps-eliminate-compromised-credential-blindspots-w-10986?rf=RAM_Resources) [Black Hat](https://www.govinfosecurity.com/black-hat-c-372)##### [The Inadequacies of Secure Web Gateways in Modern Security](https://www.govinfosecurity.com/inadequacies-secure-web-gateways-in-modern-security-a-26120) [AI-Based Attacks](https://www.govinfosecurity.com/ai-based-attacks-c-814)##### [AI: A Catalyst for Offense and Defense](https://www.govinfosecurity.com/ai-catalyst-for-offense-defense-a-25981) [DEF CON](https://www.govinfosecurity.com/def-con-c-924)##### [Ransomware Group Defenses Are Better Than Fortune 100 Firms](https://www.govinfosecurity.com/ransomware-group-defenses-are-better-than-fortune-100-firms-a-26023) [DEF CON](https://www.govinfosecurity.com/def-con-c-924)##### [Tracking Elusive Cybercriminals Through Domain Analysis](https://www.govinfosecurity.com/tracking-elusive-cybercriminals-through-domain-analysis-a-26022) [DEF CON](https://www.govinfosecurity.com/def-con-c-924)##### [SQL Injection: A High-Value Target for Attackers](https://www.govinfosecurity.com/sql-injection-high-value-target-for-attackers-a-26020)[Overview](https://www.govinfosecurity.com/webinars/risk-management-framework-learn-from-nist-w-255) * Twitter* Facebook* LinkedIn* * * From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:* Understand the current cyber threats to all public and private sector organizations;* Develop a multi-tiered risk management approach built upon governance, processes and information systems;* Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.Presented By———— [Presented By](/authors/ron-ross-i-558)—————————————#### [Ron Ross](/authors/ron-ross-i-558)*Sr. Computer Scientist -& Information Security Researcher, National Institute of Standards and Technology (NIST)*

Related Tags:
NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 517 – Telecommunications

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 51 – Information

Blog: GovInfoSecurity

Associated Indicators: