Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs

From bleepingcomputer.com

The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks.

Versa Director is a management platform ISPs and MSPs use to manage virtual WAN connections created using SD-WAN services.

The vulnerability is tracked as CVE-2024-39717 and resides in a feature allowing admins to upload custom icons to customize the Versa Director GUI. However, the flaw allowed threat actors with administrator privileges to upload malicious Java files disguised as PNG images, which can then be executed remotely.

In an advisory published yesterday, Versa says that Director versions 21.2.3, 22.1.2, and 22.1.3 are impacted by the flaw. Upgrading to the latest version, 22.1.4, will fix the vulnerability, and admins should review the vendor’s system hardening requirements and firewall guidelines.

Versa told BleepingComputer that they classify this vulnerability as a privilege elevation flaw as it was used to harvest credentials from users who logged into the system. However, other types of malware could have been used to perform different types of malicious activity on the device.

Read more…