TLDR:
- Chinese Volt Typhoon has targeted U.S. and global IT sectors using a zero-day exploit in Versa Director.
- Versa Director vulnerability CVE-2024-39717 allows malicious file uploads, leading to supply chain attacks.
The China-based cyber espionage group, Volt Typhoon, has been found to be exploiting a zero-day vulnerability in Versa Director to target U.S. and global IT sectors. The attack, which began on June 12, 2024, has affected four U.S. victims and one non-U.S. victim in the Internet service provider, managed service provider, and IT sectors. By leveraging CVE-2024-39717, which enables the upload of malicious files camouflaged as PNG images, threat actors have been able to compromise Versa Director systems and conduct large-scale supply chain attacks. The group’s use of a custom-tailored web shell, VersaMem, has enabled the interception and harvesting of credentials, facilitating unauthorized access to downstream customers’ networks.
Key Points:
- Chinese Volt Typhoon exploits zero-day flaw in Versa Director to target U.S. and global IT sectors.
- Vulnerability CVE-2024-39717 allows threat actors to upload malicious files and conduct supply chain attacks.
The Volt Typhoon group, also known as Bronze Silhouette, Insidious Taurus, and UNC3236, has a history of targeting critical infrastructure facilities with the goal of maintaining stealthy access and exfiltrating sensitive data. The sophisticated attack chain orchestrated by Volt Typhoon includes the use of SOHO devices to route network traffic and evade detection. The attackers have been observed using a modular web shell, VersaMem, to passively intercept credentials and execute arbitrary Java code in-memory on compromised servers. To mitigate the threat, it is recommended to apply necessary patches, block external access to specific ports, and scan networks for potential indicators of compromise.