The Versa Director Zero-Day Exploitation
On August 27, 2024, Black Lotus Labs revealed the active exploitation of a zero-day vulnerability in Versa Director servers. Identified as CVE-2024-39717, this vulnerability impacts all Versa Director versions before 22.1.4. CISA added CVE-2024-39717 to the KEV.
Introduction
On August 27, 2024, Black Lotus Labs, the research arm of Lumen Technologies, revealed the active exploitation of a zero-day vulnerability in Versa Director servers. Identified as CVE-2024-39717, this vulnerability impacts all Versa Director versions before 22.1.4. Versa Director, a crucial component of Versa's SD-WAN (software-defined wide area network) applications, is widely used by Internet Service Providers (ISPs) and Managed Service Providers (MSPs) to manage network configurations. The discovery of a sophisticated web shell named "VersaMem," has further highlighted the critical nature of this security breach.
Report Overview
Versa Director plays an essential role in orchestrating SD-WAN functionality, making it an attractive target for advanced persistent threat (APT) actors. The vulnerability was first uncovered by Black Lotus Labs, which identified the active exploitation of Versa Director servers across multiple sectors, including ISPs, MSPs, and IT. Later that day CISA added CVE-2024-39717 to the Known Exploited Vulnerability (KEV) Catalogue.
The attack leverages the VersaMem web shell, a custom-built malicious tool that allows attackers to intercept credentials and execute additional code within the network. The web shell was initially uploaded to VirusTotal from Singapore on June 7, 2024, under the filename "VersaTest.png." Despite its presence in the wild, the shell had zero anti-virus detections as of mid-August 2024, highlighting its stealth and the sophistication of the actors behind it.
The attack begins with exploiting an exposed management port on the Versa Director server, typically used for high-availability (HA) pairing of Director nodes. Once initial access is gained, the attackers deploy the VersaMem web shell. This web shell attaches to the primary Apache Tomcat process on the server and leverages the Java Instrumentation API and Javassist for in-memory code modification.
Key Functions of VersaMem include credential harvesting; for example, the web shell intercepts and encrypts plaintext credentials, storing them on disk for later retrieval and In-Memory module loading, where It dynamically loads additional Java modules directly into memory, bypassing traditional file-based detection methods.
Lumen's global telemetry revealed that the earliest known exploitation, targeting a U.S. ISP, occurred on June 12, 2024. The attackers likely utilized small-office/home-office (SOHO) devices to communicate with the compromised Versa Director servers, further complicating detection efforts.
The implications of this vulnerability are severe. By compromising Versa Director servers, attackers can gain unauthorized access to network configurations and potentially control or monitor the network infrastructure of numerous downstream clients. The affected sectors, including ISPs, MSPs, and IT, are critical to the broader internet and technology ecosystem, making this an especially concerning development.
Insights and Analysis
Black Lotus Labs attributes this attack with moderate confidence to the Chinese state-sponsored threat actors, Volt Typhoon and Bronze Silhouette. The ongoing exploitation of unpatched systems suggests a coordinated effort to target vulnerable networks before widespread patching can occur.
Using the VersaMem web shell represents a significant advancement in cyberattack techniques. By operating entirely in memory, the web shell avoids leaving traditional forensic evidence, making detection and mitigation much more challenging.
Given the critical nature of this vulnerability and the critical infrastructure it targets, organizations using Versa Director are strongly encouraged to take immediate action:
- Upgrade to Version 22.1.4 or Later: Patch the vulnerability to prevent further exploitation.
- Port Management: Restrict external access to management ports 4566 and 4570, limiting communication to legitimate HA-pairing traffic.
- System Monitoring: Regularly audit user accounts, logs, and newly created files for signs of compromise.
- Credential Management: Rotate credentials and review downstream customer accounts to prevent unauthorized access.
The discovery and exploitation of CVE-2024-39717 illustrate the persistent and evolving threats posed by state-sponsored actors. The sophisticated use of the VersaMem web shell, combined with the targeted nature of the attack, makes this a critical security incident that demands immediate attention and action.
| Indicator | Type | Description |
|---|---|---|
/tmp/.temp.data | File Path | Path where intercepted and encrypted credentials are stored by the VersaMem web shell. |
VersaTest.png | Filename | Name of the JAR web shell uploaded to VirusTotal, which is disguised as a PNG file. |
| Port 4566 | Network Port | Management port associated with high-availability (HA) pairing between Versa nodes, likely exploited for initial access by attackers. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Exploiting a vulnerability in the Versa Director servers' exposed management port for initial access. |
| Execution | Command and Scripting Interpreter: Java | T1059.006 | Execution of the VersaMem web shell using Java within the Apache Tomcat process on the compromised server. |
| Persistence | Server Software Component: Web Shell | T1505.003 | Deployment of a web shell on the compromised Versa Director server to maintain persistence. |
| Credential Access | Input Capture: Keylogging | T1056.001 | Interception of plaintext credentials by the VersaMem web shell from the Versa Director server. |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | Disguising the malicious JAR file as a PNG image to avoid detection. |
References
Black Lotus Labs
Comments ()