Chinese government hackers infiltrate at least two top US ISPs
Volt Typhoon strikes again
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A Chinese state-sponsored hacking group has been observed using a zero-day exploit to infiltrate internet service providers (ISPs), managed service providers (ISPs) and IT sectors since at least June 12, 2024.
Lumen’s Black Lotus Labsbelieves the group, tracked as Volt Typhoon and Bronze Silhouette, was observed using the vulnerability, labelled asCVE-2024-39717, to breach organizations in the wild.
The vulnerability utilizes a complex process to inject malicious code into Versa Director servers, allowing the attacker to steal credentials in plaintext, “potentially enabling downstream compromises of client infrastructure through legitimate credential use,” Black Lots Labs said.
Breaching US ISPs
Versa Director servers are used by ISPs and MSPs to manage network configurations on software-defined wide area network (SD-WAN) software. The attackers used a custom JAR web shell - labeled “VersaMem” by Black Lotus Labs - that employs Java instrumentation and Javassist to inject code into the Tomcat web server process memory space on the victims Versa Director servers.
The web shell, named “VersaTest.png” and uploaded to VirusTotal on June 7, 2024, does not have any antivirus detections at time of writing, and can still be used to exploit unpatched Versa Director servers. So far, the vulnerability has been used to attack four victims within the US, and one non-US victim.
Douglas McKee, executive director, threat research at SonicWall, commented on the attack, stating, “The recent exploitation of a zero-day vulnerability in the Versa Director software by the Chinese state-backed hacking group Volt Typhoon highlights the critical importance of vulnerability research and product security testing. This attack, which targeted U.S. ISPs and MSPs, underscores how undiscovered and therefore unpatched vulnerabilities can be leveraged by sophisticated threat actors to infiltrate and compromise critical infrastructure. By performing third-party vulnerability research and internal product security testing, organizations can identify and mitigate these weaknesses before they are exploited.”
Black Lotus Labs recommends those concerned about compromise of Versa Director servers within their network to upgrade to version 22.1.4 or later and keep an eye out for the following indicators of compromise (IOCs):
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Further recommendations can be found on the Black Lotus Labs blog.
More from TechRadar Pro
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.
LG Electronics sets ambitious B2B revenue goal to offset declining consumer demand
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
