A newly discovered zero-day vulnerability in Versa Director software is being actively exploited by suspected Chinese state-sponsored hackers, potentially compromising major internet service providers (ISPs) and managed service providers (MSPs) in the United States.
The Vulnerability
The critical flaw, identified as CVE-2024-39717, affects all versions of Versa Director prior to 22.1.4. Versa Director is a key component used by ISPs and MSPs to manage network configurations for software-defined wide area networks (SD-WANs).
The Attack
Security researchers at Lumen's Black Lotus Labs have observed the vulnerability being exploited since at least June 12, 2024. The attackers, believed to be part of the hacking groups known as Volt Typhoon and Bronze Silhouette, use a sophisticated custom web shell dubbed VersaMem to inject malicious code into Versa Director servers.
 |
|---|
| Visualization of the complex data involved in cyber attacks, representing the sophisticated tactics used by hackers to exploit vulnerabilities |
Impact and Scope
So far, the attacks have targeted four victims within the US and one non-US victim, primarily in the ISP, MSP, and IT sectors. The potential impact is severe, as compromised Versa Director servers could allow attackers to:
- Steal credentials in plaintext
- Potentially compromise downstream client infrastructure
- Inject additional malicious code directly into server memory
- Evade detection through sophisticated techniques
Recommendations
Organizations using Versa Director are strongly advised to:
- Upgrade to version 22.1.4 or later immediately
- Monitor for suspicious activity on port 4566
- Search for unauthorized .png files in the Versa webroot directory
- Audit user accounts and review system logs
- Rotate credentials if compromise is suspected
Broader Implications
This attack highlights the critical importance of vulnerability research and product security testing, especially for software used in managing critical infrastructure. The involvement of suspected Chinese state-sponsored actors adds a geopolitical dimension to the threat, potentially impacting national security.
As Douglas McKee, Executive Director of Threat Research at SonicWall, noted: This attack underscores how undiscovered and therefore unpatched vulnerabilities can be leveraged by sophisticated threat actors to infiltrate and compromise critical infrastructure.
The incident serves as a stark reminder of the ongoing cybersecurity challenges faced by organizations managing essential network services and the potential for widespread disruption through targeted attacks on key infrastructure components.