China’s Volt Typhoon reportedly targets US internet providers using Versa zero-day

Researchers accused Chinese government-linked hacking group Volt Typhoon of exploiting a zero-day vulnerability in network management platform Versa Director in an effort to breach internet service providers and technology companies, including those in the United States. 

Earlier on Monday, Versa announced that it had fixed a high-severity flaw, tracked as CVE-2024-39717, noting that it was exploited in the wild by an unnamed nation-state hacker group “at least once.” 

The bug also had been added to the Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerability catalog over the weekend. This flaw affects all Versa Director versions prior to 22.1.4.

Versa Director works as a central command center, allowing tech specialists to easily set up, monitor, and manage their networks across multiple locations. This makes Versa servers an “attractive target for threat actors seeking to extend their reach within enterprise network management,” according to researchers at Lumen Technologies.

In a report on Tuesday, the researchers attributed the exploitation of this vulnerability, “with moderate confidence,” to the notorious China-backed hacker group Volt Typhoon. The group has previously targeted U.S. energy and defense companies, with its hallmark campaign involving the infiltration of home routers to launch other attacks.

In the latest incidents, Volt Typhoon exploited the flaw in Versa Director to upload a sophisticated, custom-tailored web shell named VersaMem. This web shell was used to intercept and harvest credentials, as well as execute arbitrary malicious code on compromised servers while avoiding detection.

The targets of Volt Typhoon’s latest campaign reportedly include four U.S. victims and one non-U.S. victim in the internet service provider, managed service provider, and information technology sectors.

The initial version of the VersaMem web shell was first uploaded to the VirusTotal repository from Singapore earlier in June, approximately five days prior to the earliest identified exploitation of Versa Director servers in the U.S., Lumen Technologies said.

“We suspect the threat actors may have been testing the web shell in the wild on non-U.S. victims before deploying it to U.S. targets,” the company added. The current malware version has zero detections on VirusTotal.

“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, researchers consider this exploitation campaign to be highly significant,” the researchers added.

Lumen Technologies said it shared its findings with U.S. federal agencies to warn “of the emerging risks that could impact our nation’s strategic assets.”

For the last year, the White House, Defense Department and several other agencies with a hand in cybersecurity have raised alarms about the Volt Typhoon campaign, which they believe is a preemptive effort by China’s government to gain strategic footholds into U.S. critical infrastructure. 

The goal is to slow down any potential military mobilization effort that may come following a Chinese invasion of Taiwan, according to government officials. U.S. officials continue to search for and root out compromises caused by Volt Typhoon. 

CISA Director Jen Easterly said earlier this month that escalating tensions between China and Taiwan have led Beijing to seek ways to launch destructive attacks against the island nation and its allies — including the U.S. 

“[This is] a world where a war in Asia will be accompanied by very serious threats for Americans,” she said. “The explosion of pipelines, the pollution of water systems, the derailing of our transportation systems, the severing of our communications, specifically to incite panic and societal chaos and to deter our ability to marshal military might and citizen will.”