5 Things To Know On China-Linked Exploits Of Versa Networks Flaw

A zero-day vulnerability in Versa Director has reportedly been exploited by Chinese government hackers to target internet service providers and MSPs.

Internet service providers and MSPs are the main targets of a cyberattack campaign exploiting a Versa Networks SD-WAN vulnerability and linked to the Chinese government, according to security researchers and media reports.

The attacks have been attributed to a threat group tracked as “Volt Typhoon,” which has previously been cited by U.S. agencies for attacks targeting critical infrastructure providers.

CRN has reached out to Versa for comment.

What follows are five things to know on the China-linked exploits of a vulnerability in Versa Networks SD-WAN.

Versa Vulnerability

On Monday, Versa disclosed a high-severity privilege escalation vulnerability (tracked at CVE-2024-39717) affecting Versa Director. The flaw has seen exploitation in “at least one known instance by an Advanced Persistent Threat actor,” the company said in its blog post.

The vulnerability has “allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges,” Versa said.

The issue, according to the company, impacts “all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines.”

Customers that’ve been affected had “failed to implement system hardening and firewall guidelines mentioned above, leaving a management port exposed on the internet that provided the threat actors with initial access,” Versa said.

ISPs, MSPs Targeted

In a post Tuesday, researchers at Lumen Technologies disclosed details on the attacks observed so far, including that small office/home office (SOHO) devices have been targeted.

Victims of the Versa zero-day vulnerability exploit campaign have included “four U.S. victims and one non-U.S. victim,” the Lumen researchers wrote. The victims are all in “the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors,” and were targeted as far back as June 12, according to the researchers.

A report from the Washington Post specified that the victims have consisted of three U.S.-based ISPs — one of which is “large” — as well as along with one other company based in the U.S. and a company based in India.

Attacks ‘Ongoing’

Cyberattacks exploiting the Versa Networks flaw are “likely ongoing against unpatched Versa Director systems,” Lumen researchers wrote.

“Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time,” the researchers wrote.

Lumen Technologies also shared its threat intelligence with U.S. government agencies, the researchers said.

‘Volt Typhoon’ Blamed

Lumen researchers said that the “Chinese state-sponsored” threat groups tracked as Volt Typhoon and Bronze Silhouette have been observed exploiting the Versa vulnerability, though currently, the activity is likely only being carried out by Volt Typhoon.

“At the time of this writing, we assess the exploitation of this vulnerability is limited to Volt Typhoon,” the researchers wrote.

In late January, the FBI disclosed that an operation succeeded at disrupting the efforts of Volt Typhoon — which is backed by the Chinese government, according to the agency — to compromise U.S. critical infrastructure providers by exploiting SOHO routers. Targets included providers of critical services including communications, energy, water and transportation, the FBI said at the time.

Then in February, U.S. agencies disclosed that Volt Typhoon has been known to obtain initial access to critical infrastructure IT systems by exploiting network appliances from a number of vendors.

More Details On Victims

The Washington Post report indicated that two of victims in the attacks are major ISP providers with “millions of customers.”

The attacks are believed to be geared toward gathering of intelligence, including on “government and military personnel working undercover and groups of strategic interest to China,” the Post reported.

The fact that the China-backed threat groups were willing to exploit zero-day flaws for the campaign points to the significance of the campaign for the Chinese government, the report said.