Volt Typhoon exploits zero-day, targeting ISPs and MSPs with campaign

August 29, 2024
1 min read

TLDR:

  • Volt Typhoon, a state-linked threat actor, is exploiting a zero-day vulnerability in Versa Director servers targeting ISPs and MSPs.
  • The vulnerability allows for malicious file uploads and advanced privileges, with a custom webshell designed for credential harvesting.

In a recent blog post, researchers from Black Lotus Labs revealed that Volt Typhoon, a prolific state-linked threat actor, is carrying out a campaign targeting internet service providers, managed service providers, and other technology firms by exploiting a zero-day vulnerability in Versa Director servers. The vulnerability, identified as CVE-2024-39717, enables users to upload potentially malicious files and gain advanced privileges.

Black Lotus Labs researchers discovered a custom webshell named VersaMem, designed to intercept and harvest credentials, allowing attackers to access downstream computer networks as authenticated users. The researchers emphasize that this campaign poses a significant threat to the telecom sector.

Volt Typhoon has been flagged as a high-profile threat actor, with previous warnings from federal authorities regarding its potential infiltration of critical infrastructure providers. In response to this threat, Versa Networks has released a patch for the vulnerability and is actively working with customers to ensure the update is applied and system hardening measures are implemented.

Despite the patch release, Black Lotus Labs identified multiple actor-controlled devices that successfully exploited the zero-day vulnerability at five targets, primarily ISPs and MSPs. The malware deployed by the threat actor grants them admin-level privileges, enabling them to extract sensitive data without drawing attention.

CISA has urged organizations to apply all required updates, conduct thorough security checks, and report any suspicious activity to the agency. By sharing their findings with U.S. authorities, Black Lotus Labs aims to mitigate the potential impact of this campaign on critical infrastructure providers.

Overall, the exploitation of the zero-day vulnerability in Versa Director servers by Volt Typhoon highlights the ongoing threats faced by ISPs and MSPs, emphasizing the importance of prompt security measures to safeguard against such targeted campaigns.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and