Significant Zero-Day Hack on Versa Director Software Unveiled by Black Lotus Labs
A group of hackers recently exploited a zero-day vulnerability in Versa Director software, utilized by multiple internet service providers (ISPs) to secure their network operations. This breach compromised various internet companies in both the U.S. and abroad, as per Black Lotus Labs, which is the threat research and operations division of Lumen Technologies.
China Suspected in Cyber Attacks
There are strong suspicions that the attacks may have originated from China, according to Lumen’s research findings.
- Lumen Technologies’ analysis attributed the zero-day exploit and operational use of the VersaMem web shell to state-sponsored Chinese threat actors known as Volt Typhoon and Bronze Silhouette.
Identification of Victims
- Research conducted by Lumen identified four U.S.-based victims and one foreign victim, believed to be connected to governmental and military personnel working undercover, as well as groups of strategic interest to China.
Denial from China
- China refuted these allegations, claiming that ‘Volt Typhoon’ is a ransomware cybercriminal group that operates independently and denies any state sponsorship. This rebuttal was echoed by the embassy spokesman Liu Pengyu to the Washington Post.
Lin Jian, spokesperson for China’s Ministry of Foreign Affairs, also reiterated this stance to the Global Times.
Ongoing Exploitation
- The exploitation is believed to be ongoing against unpatched systems running Versa Director, as highlighted by the researchers.
Modus Operandi of the Hackers
- The hackers used a specialized web shell named “VersaMem” to extract user login credentials. This malicious software operates covertly within system memory, making detection a challenging task.
Vulnerable Targets
- Versa Director servers, commonly employed by ISPs and managed service providers, were the primary focus of this breach due to their significance in enterprise network management setups.
Acknowledgment and Confirmation
- Versa Networks acknowledged the vulnerability and confirmed that it had been exploited in at least one known instance.
Lumen’s report revealed that the VersaMem web shell was uploaded to VirusTotal on June 7, indicating its presence prior to the exploitation. The malware was crafted using Apache Maven, and Chinese characters were found in the code comments, with no antivirus software detections as of mid-August.
Urgent Cybersecurity Measures
- Brandon Wales, the former executive director of the U.S. Cybersecurity and Infrastructure Security Agency, emphasized the escalating threats posed by Chinese hackers towards essential U.S. facilities. He advocated for increased investments in cybersecurity to counter these evolving challenges.
Wales emphasized the critical need for safeguarding U.S. critical infrastructure from persistent cyber threats originating from China.
Hot Take
Stay informed and vigilant about the latest cybersecurity threats to safeguard your network and data integrity.
By
By
By