The Volt Typhoon Chinese Hacker group has been linked to a series of cyber attacks involving the exploitation of a vulnerability known as CVE-2024-39717 in the Versa Director control system, a platform commonly used by Internet providers to manage virtual networks. This particular vulnerability, with a CVSS score of 7.2, enables threat actors to download malicious files and use them to gain unauthorized access to corporate networks. Versions 21.2.3, 22.1.2, and 22.1.3 of the system were affected by this flaw, but updating to version 22.1.4 resolves the issue. Versa Networks has advised system administrators to apply the necessary updates and follow recommended security measures. The Cybersecurity and Infrastructure Security Agency (CISA) has also included this vulnerability in its known exploits and vulnerabilities (KEV) catalog.
Researchers from Black Lotus Labs reported the discovery of the vulnerability in June after identifying a suspicious file that had been uploaded to VirusTotal. Hackers leveraged this vulnerability to deploy the Versamem web shell, a form of malware that managed to evade detection by traditional antivirus solutions. Analysis revealed that the web shell was actively used by threat actors from June 12 onwards to compromise networks and deploy malicious payloads.
The attack chain conducted by Volt Typhoon required administrative privileges, which were obtained through an open port in the Versa Director system responsible for ensuring high availability (HA) of network nodes. By exploiting this vulnerability, the attackers were able to create accounts with elevated privileges and deploy the malicious web shell, ultimately leading to the theft of user account information.
Versa Networks acknowledged that the vulnerability could result in the theft of user credentials if the HA port was left unprotected. The company emphasized the importance of securing the port to prevent unauthorized access. According to Versa documentation, the port is open by default to facilitate high availability functionality.
Black Lotus Labs reported that at least four organizations in the United States and one in India fell victim to these attacks, with one company experiencing unauthorized access to its internal networks. Security experts have attributed these attacks to the Volt Typhoon group, known for targeting routers and VPN devices to gain illicit access to sensitive networks