A critical zero-day vulnerability exploited since June that affected ISPs has now been patched.
Malicious hackers, likely operating on behalf of the Chinese government, have been leveraging a high-severity zero-day vulnerability to infect at least four U.S.-based ISPs with malware designed to steal customer credentials, researchers reported on Tuesday.
The flaw resides in Versa Director, a virtualization platform used by ISPs and managed service providers to oversee complex network infrastructures from a single interface, according to Black Lotus Labs, the research division of security firm Lumen. The attacks, which began no later than June 12 and are possibly ongoing, enabled the attackers to deploy “VersaMem,” a custom web shell giving them remote administrative control over Versa Director systems.
Gaining Administrative Control of ISP Systems
The administrative control granted by VersaMem allows it to operate with elevated privileges, enabling it to manipulate Versa’s authentication processes. This manipulation lets the web shell intercept credentials as they are entered by ISP customers, capturing them before they are encrypted. Once in possession of these credentials, the attackers work to compromise the customers. Black Lotus did not disclose the identities of the affected ISPs, MSPs, or their customers.
Tracked as CVE-2024-39717, the zero-day is an unsanitized file upload vulnerability that permits the injection of malicious Java files into Versa systems with high-level privileges. Versa released a patch for this vulnerability on Monday after Lumen reported it privately. All versions of Versa Director prior to 22.1.4 are affected. To avoid detection, the attackers used compromised small office and home office routers to conduct their operations.
“Given the severity of the vulnerability, the sophistication of the attackers, the critical role of Versa Director servers, and the potential impact of a successful breach, Black Lotus Labs deems this exploitation campaign highly significant,” the report stated.
In several cases, Black Lotus observed that the attackers appeared to initially access the Versa Director systems through port 4566, used by Versa for high-availability pairing between nodes. Versa’s advisory, first released in 2015, noted that impacted customers did not follow system hardening and firewall guidelines, exposing a management port on the internet that allowed the attackers initial access.
Details from Black Lotus Labs
Black Lotus Labs first detected unusual traffic suggesting exploitation of U.S. Versa Director servers between June 12, 2024, and mid-July 2024. Their analysis indicated that the compromised systems were likely accessed via port 4566, followed by extensive HTTPS traffic over port 443. This pattern suggests successful exploitation. The researchers identified four U.S. victims and one non-U.S. victim in the ISP, MSP, and IT sectors, with the earliest activity noted at a U.S. ISP on June 12, 2024.
The following graphic outlines Black Lotus Labs’ observations concerning CVE-2024-xxxx and the use of the VersaMem web shell.
Undetected by Antivirus
VersaMem features a modular design, enabling it to load different modules depending on the threat actor’s objectives. Currently, only one module—a credential-stealing component—has been identified. At the time of publication, VersaMem was not flagged as malicious by major endpoint protection platforms. Black Lotus hopes the report will assist network defenders in identifying additional modules involved in the campaign.
The malware operates entirely in memory, reducing the likelihood of detection by avoiding disk storage.
To further evade detection, the attackers used compromised home and small-office routers to exploit Versa Director systems. This technique, also employed by state hackers from China and Russia, involves proxying attacks through such devices. Earlier this year, the FBI secretly sent commands to hundreds of these routers to remove malware placed by Chinese hackers, a tactic still in use by Chinese state actors.
Based on observed tactics and techniques, Black Lotus has moderate confidence that Volt Typhoon, a Chinese state-sponsored hacking group known for its sophistication, is behind the attacks.
In early 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that Volt Typhoon had infiltrated networks of multiple U.S. critical infrastructure organizations, including those in communications, energy, transportation, and water sectors, with some breaches lasting up to five years. CISA indicated that these hackers were positioned to disrupt operations across these sectors in the event of a crisis or conflict.
Organizations using Versa Director should review the indicators of compromise in the Black Lotus report to determine if their systems have been targeted.