(Credit: Anton Petrus via Getty Images)
Suspected Chinese hackers have been exploiting a previously unknown "zero-day" vulnerability in networking software to plant password-harvesting malware in at least one US-based ISP.
The flaw affects a product called Versa Director, which ISPs use to manage SD-WAN networks. On Tuesday, researchers with Black Lotus Labs at Lumen Technologies said they had spotted Chinese hackers exploiting the vulnerability since at least June 12.
Lumen, a telecom and fiber provider, says analysis of its global telemetry suggests the hackers were hijacking small-office and home-office devices.
Lumen didn't reveal the extent of the hacking campaign, or name affected companies. But in a blog post, Black Lotus Labs said: “We identified four US victims and one non-US victim in the ISP, MSP (managed service provider), and IT sectors, with the earliest exploitation activity occurring at a US ISP on June 12, 2024."
The hackers exploited the flaw after gaining "initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes," the team adds.
Versa Networks, which makes the Versa Director, has rated the zero-day vulnerability as a "high threat" because it can be abused to gain admin privileges over the company’s software and make changes, including installing malware.
“This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges,” the company said. “This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.”
(Credit: Black Lotus Labs)According to Black Lotus Labs, the Chinese hackers leveraged the flaw to plant malware known as VersaMem, which is designed “to intercept and harvest credentials which would enable access into downstream customers’ networks as an authenticated user.” VersaMem, which masquerades as an image .png file, is also able to evade detection from antivirus software.
The Black Lotus Labs team links the malware to the Chinese state-sponsored hacking group Volt Typhoon with “moderate confidence." In February, the FBI and NSA called out Volt Typhoon as a Chinese hacking threat that’s been lurking in some US networks for as long as five years. The group is also known to use "known or zero-day vulnerabilities in public-facing network appliances" such as routers to spy on victims, according to federal agencies.
In response to the attacks, Versa Networks released a patch, which is called CVE-2024-39717. “Although the vulnerability is difficult to exploit, it’s rated ‘High’ and affects all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines,” the company added.