Since July 12, four unnamed American Internet Service Providers (ISPs) have been hacked. They all used the same platform to manage and control their vast networking enterprise. By infiltrating this platform, hackers managed to steal customer credentials, which were otherwise encrypted.
Black Lotus Labs first discovered and reported the vulnerability in Versa Director (the platform these four ISPs were using) two days ago. The researchers identified the first exploitation of this vulnerability dating back to June 12, 2024, and it was only patched on August 26, 2024.
The attackers hijacked small office and home office routers to enter Versa Director systems. They were able to penetrate Versa’s systems because of an exposed port (which should have been protected by a hardened firewall, but the affected ISPs didn’t follow Versa’s instructions). The threat actors used this entry point to inject a malicious java file called “VersaMem.” That’s where the bug was: the file upload system which should have sanitized this file. This code gave them admin access to the entire Versa Director dashboard.
Once the JAR file had been deployed, the attackers gained remote admin access, hijacked Versa’s authentication process, and started stealing people’s credentials (usernames and passwords) before they could be encrypted for transit. What’s more: the VersaMem JAR file has a modular design, meaning stealing credentials is just one of its components. The hackers can potentially add more functionality to it, but Black Lotus Labs has only unearthed one module so far.
The malware is also incredibly sophisticated and hard to detect because it lives entirely on volatile memory. The VersaMem malware “currently has zero anti-virus (AV) detections,” according to Black Lotus Labs. Versa has classified it as a highly severe threat, urging its customers to upgrade Verse Director, follow firewall requirements, and harden security. An update on the Versa bulletin also explains how to scan for the malicious code on infected systems.
Based on the sophistication and plan of attack, the researchers at Black Lotus Labs think that Volt Typhoon is responsible. “Volt Typhoon” is a Chinese state-sponsored group that has been targeting different infrastructure sectors in the U.S.
Source: Versa Blog, Black Lotus Labs, Ars Technica
