Malicious hackers likely working on behalf of the Chinese government have exploited a high-severity zero-day vulnerability to infect at least four U.S.-based ISPs with malware that steals credentials used by downstream customers, researchers said Tuesday.
The vulnerability lies in Versa Director, a virtualization platform that allows ISPs and managed service providers to manage complex network infrastructures from a single dashboard, said researchers at Black Lotus Labs, the research arm of security firm Lumen. The attacks, which began no later than June 12 and are likely ongoing, allow threat actors to install “VersaMem,” the name Lumen gave to a custom web shell that enables remote management of Versa Director systems.
Gain administrator control over the ISP infrastructure
Administrative control allows VersaMem to run with the necessary privileges to hook up the Versa authentication methods, meaning the web shell can hijack the execution flow to trick it into introducing new functionality. One of the capabilities added by VersaMem includes capturing credentials the moment an ISP customer enters them and before they are cryptographically hashed. Once in possession of the credentials, the threat actors work to compromise the customers. Black Lotus has not identified any of the affected ISPs, MSPs, or downstream customers.
CVE-2024-39717, as the zero-day attack is known, is an unpatched file upload vulnerability that allows the injection of malicious Java files that run on the Versa systems with elevated privileges. Versa patched the vulnerability on Monday after Lumen previously reported it privately. All versions of Versa Director prior to 22.1.4 are affected. To remain undetected, the threat actor carried out its attacks via compromised routers in small offices and home offices.
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of the Versa Director servers in the network, and the potential consequences of a successful attack, Black Lotus Labs considers this exploitation campaign to be extremely significant,” Tuesday's report said.
In at least “some cases,” Black Lotus said in an email, the threat actor appeared to gain initial access to the Versa Director systems via port 4566, which Versa uses to provide what it calls high-availability pairing between nodes. Versa's advisory referenced those firewall requirements, which were first published in 2015. The advisory states, “The affected customers failed to implement the system hardening and firewall policies noted above, which left a management port exposed on the internet that allowed threat actors to gain initial access.”
In their post on Tuesday, the researchers at Black Lotus wrote:
Black Lotus Labs initially observed anomalous traffic associated with the potential exploitation of several U.S. victims' Versa Director servers between at least June 12, 2024 and mid-July 2024. Based on analysis of Lumen's global telemetry, the initial access port for the compromised Versa Director systems was likely port 4566, which Versa documentation indicates is a management port associated with the high availability (HA) pairing between Versa nodes. We identified compromised SOHO devices with TCP sessions over port 4566, which were immediately followed by large HTTPS connections over port 443 for several hours. Since port 4566 is generally reserved for Versa Director node pairing and the pairing nodes typically communicate with this port for extended periods of time, there should be no legitimate communications from SOHO devices to this port over short periods of time.
We evaluate the short period of TCP traffic to port 4566, immediately followed by medium to large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g. SOHO device), as a likely sign of successful exploitation. Searching Lumen's global telemetry, we identified four US victims and one non-US victim in the ISP, MSP, and IT sectors, with the earliest exploitation activity occurring on June 12, 2024 at a US ISP.
The following graphic provides an overview of Black Lotus Labs' observations related to the exploitation of CVE-2024-xxxx and the use of the VersaMem web shell: