Malicious hackers likely working on behalf of the Chinese government have been exploiting a high-severity zero-day vulnerability that allowed them to infect at least four US-based ISPs with malware that steals credentials used by downstream customers, researchers said Tuesday.
The vulnerability resides in the Versa Director, a virtualization platform that allows ISPs and managed service providers to manage complex networking infrastructures from a single dashboard, researchers from Black Lotus Labs, the research arm of security firm Lumen, said. The attacks, which began no later than June 12 and are likely ongoing, allow the threat actors to install “VersaMem,” the name Lumen gave to a custom web shell that gives remote administrative control of Versa Director systems.
Getting admin control of ISP infrastructure
The administrative control allows VersaMem to run with the necessary privileges to hook the Versa authentication methods, meaning the web shell can hijack the execution flow to make it introduce new functions. One of the functions VersaMem added includes capturing credentials at the moment an ISP customer enters them and before they are cryptographically hashed. Once in possession of the credentials, the threat actors work to compromise the customers. Black Lotus didn’t identify any of the affected ISPs, MSPs, or downstream customers.
CVE-2024-39717, as the zero-day is tracked, is an unsanitized file upload vulnerability that allows for the injection of malicious Java files that run on the Versa systems with elevated privileges. Versa patched the vulnerability Monday after Lumen privately reported it earlier. All versions of Versa Director prior to 22.1.4 are affected. To fly under the radar, the threat actor waged their attacks through compromised small office and home office routers.
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” Tuesday’s report said.
