The Chinese state-backed hacking group Volt Typhoon has been observed targeting a zero-day vulnerability in Versa Director, a critical management platform used by Internet Service Providers (ISPs) and Managed Service Providers (MSPs). The vulnerability, tracked as CVE-2024-39717, allowed the threat actors to deploy a custom web shell, enabling them to steal credentials and breach corporate networks.

Versa Director is a platform widely used by ISPs and MSPs to manage virtual wide-area network (WAN) connections. CVE-2024-39717 exists within a feature of Versa Director that permits administrators to upload custom icons to personalize the graphical user interface (GUI).

The feature could be abused by a remote user to upload malicious Java files disguised as PNG images, providing the attacker with unauthorized access to the system.

The vulnerability affects several versions of Versa Director, specifically 21.2.3, 22.1.2, and 22.1.3. Versa Networks, the company behind Versa Director, has issued an advisory recommending that users upgrade to the latest version, 22.1.4, which addresses the flaw.

The zero-day vulnerability was first discovered by researchers at Lumen's Black Lotus Labs on June 17, 2024, after a malicious Java binary named "VersaTest.png" was uploaded from Singapore to the cybersecurity database VirusTotal. Further analysis revealed that the file was a custom Java web shell, internally named "Director_tomcat_memShell" by the attackers but dubbed "VersaMem" by the researchers.

VersaMem is a sophisticated piece of malware, which operates in memory, specifically designed to target Versa Director systems. It has the ability to intercept and harvest credentials, allowing attackers to gain deeper access into the networks managed by the compromised Versa Directors.

Black Lotus Labs said that the zero-day vulnerability has been actively exploited since June 12, 2024. The attacks have targeted at least four US-based victims and one non-US victim, all within the ISP, MSP, and IT sectors. The initial access was gained through exposed Versa management ports intended for high-availability (HA) pairing of Director nodes. Once inside, the attackers deployed the VersaMem web shell to maintain persistence and further infiltrate the networks.

Based on the tactics, techniques, and procedures (TTPs) observed, Black Lotus Labs has attributed the exploitation of CVE-2024-39717 and the deployment of the VersaMem web shell to the Chinese state-sponsored hacking group Volt Typhoon, with moderate confidence. The group, also tracked as Bronze Silhouette, is known for targeting critical infrastructure and has a history of sophisticated cyber operations.

Organizations running Versa Director are strongly advised to upgrade to version 22.1.4 or later and to follow the security guidance provided by Versa Networks in recent advisories.