US ISP, MSP & ITs Hit With Malware Stealing User Credentials

In the latest bout of cybercrime, American telecom company Lumen Technologies, which also offers network services, security, cloud solutions, voice and managed services, found a new threat that’s affecting the privacy of entities, users and customers in the United States.

Discovered by the company’s threat research arm, Black Lotus Labs, the threat was first identified over two months ago and could be highly significant!

So, what did the company observe about the zero-day vulnerability? Let’s explore!
 

What Did Black Lotus Labs Discover?

 

• In a blog post published on its website, Lumen Technologies through Black Lotus Labs, its threat research and operations arm, revealed that it had discovered an active exploitation of a zero-day vulnerability.

• The vulnerability, called CVE-2024-39717, was observed in servers of Versa Director, a virtualization and service creation platform that simplifies the creation, automation and delivery of services using Versa solutions, through a single dashboard.

• As per the research team behind the discovery, the vulnerability resides in Versa software-defined wide area network (SD-WAN) applications and affects all Versa Director versions prior to 22.1.4.

• The researchers tied the vulnerability to a unique, custom-tailored web shell, which they called “VersMem”.

• Upon analysis of its global telemetry, the team found that the zero-day vulnerability was found in small-office/home-office (SOHO) devices connected to four US victims and one non-US victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors, going back as far back as June 12, 2024.

• Based on previously known and observed tactics and techniques, the researchers were led to believe that the bad actors are most likely from Chinese state-sponsored groups known Volt Typhoon.

• According to the researchers, “The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.”

• As such, the researchers advised entities using Versa Director to upgrade to version 22.1.4 or later and review the customer security advisories sent to customers by Versa Networks on July 26 and August 8 of 2024.

 

What Did Black Lotus Labs’ Findings Reveal About The Vulnerability?

 

• The purpose of the web shell was to intercept and harvest credential of downstream customers, allowing the hackers to gain access to their networks as authenticated users.

• The researchers believe the initial access port for the compromised Versa Director systems was likely port 4566, which is a management port used for high-availability (HA) pairing between Versa nodes.

• The researchers found comprised devices with TCP sessions over port 4566 which would immediately be followed by large HTTPS connections over port 443 for several hours.

• As per the team, the threat actors were likely testing their web shell “in the wild” on non-US victims before deploying on US targets.

• Before being identified in the United States, the web shell was first uploaded to VirusTotal from Singapore on June 7, 2024, with the filename “VersaTest.png”, five days before the first identifiable US instance.

• An analysis of TestMain.class confirmed it as the entry point for the web shell, while CoreClassFileTransformer class automatically added two new transformers - CapturePassTransformer and WriteTestTransformer.

• CapturePassTransformer was responsible for intercepting, harvesting and encrypting credentials, while WriteTestTransformer, which would essentially allow the threat actors to “send their GET or POST request to any URL” to be intercepted and processed by their injected functionality. 

 

What Did Black Lotus Labs Researchers Say?

 

• Through the blog post, researchers at Black Lotus Labs said, “Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time.”

• “Lumen Technologies shared threat intelligence to warn appropriate U.S. Government agencies of the emerging risks that could impact our nation’s strategic assets.”

• “Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant.”

Do you think platforms and their updates used by network providers, ISPs, MSPs and other IT organizations should go through more rigorous and robust testing before being deployed?

Let us know in the comments below!