Zero Day Versa Director: Attackers nest in ISPs
Attackers first nest in customer routers, then directly at ISPs. First of all, they access customer passwords.
Symbol image
(Image: momente/Shutterstock.com)
A security vulnerability in the Versa Director network software (CVE-2024-39717) is being exploited more than initially known. Attackers have infiltrated at least three Internet Service Providers (ISPs) in the US and one outside the country to intercept customer logins and passwords in plain text before they are hashed and stored by the ISP. This is reported by security researchers Lumens, who attribute the attack to Volt Typhoon with moderate confidence.
Volt Typhoon is in the pay of the Chinese government, as is Bronze Silhouette. The People's Republic of China recognizes Volt Typhoon as a criminal gang, but denies any connection with it.
According to Lumen's analysis, the modus operandi begins with the exploitation of various unpatched security vulnerabilities in internet routers in homes or small offices. From then on, these serve as relatively inconspicuous proxies for connections to the infrastructure of the respective ISP. The Versa Director is briefly addressed via port 4566. If this is successful, the attacker can compromise the Versa Director.
A web shell is then installed, which Lumen has christened VersaMem. It has a modular structure and can load arbitrary Java malware routines. To be less conspicuous, these run in memory. So far, Lumen has only observed one module: It recognizes when an ISP customer sets a username and password on the company's website and grabs them in plain text before the ISP saves the password hash value.
Patches + firewall, here you go
The attack fails if the Versa patches have been installed or if port 4566 is inaccessible from customer routers. For the latter, Versa has been recommending suitable firewall settings and system hardening for years. Apparently not all ISPs have followed these instructions.
Lumen considers the attacks to be relevant. The perpetrators obviously want to embed themselves in critical infrastructure in the long term. The password collection could be used in the event of a crisis, for example if China were to invade Taiwan, to cause chaos in the USA by using correct customer passwords to disable Internet connections en masse.
(ds)
