Volt Typhoon is wreaking havoc again – this time on US internet providers
Chinese state-backed hackers are thought to be actively exploiting a zero-day in SD-WAN software to infect corporate networks at US internet providers
Hackers exploited a high severity zero-day vulnerability in a popular network configuration tool in order to gain access to four internet providers in the US, according to a new report.
Lumen Technologies’ Black Lotus Labs team issued a report on 27 August detailing its discovery of active exploitation of a flaw in servers running Versa Networks’ Director software, linking the campaign to the state-backed Chinese threat collective Volt Typhoon.
Versa Director is a virtualization and service creation platform used by many companies, including internet providers (ISPs), to manage their wide-area network.
The report noted the software’s important role in network management makes it an appealing target for threat actors looking to view or control network infrastructure, as well as move into other networks downstream.
“Director servers enable the orchestration of Versa’s SD-WAN functionality, positioning them as a critical and attractive target for threat actors seeking to extend their reach within enterprise network management.”
CVE-2024-39717, designated a 7.2 rating on the CVSS, is a dangerous file type upload vulnerability where attackers manipulate the software’s ‘change favicon’ option to remotely upload and execute a malicious java file masked as a PNG image.
Once the network is infected the attackers can begin harvesting credentials that could enable access to downstream customer’s networks as an authenticated user.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Black Lotus Labs said its global telemetry identified ‘actor-controlled small-office/home-office (SOHO) devices exploiting the flaw at five different organizations, operating in the ISP, MSP, and IT sector, with four being located in the US.
The exploitation has been dated to as early as June 2024, with the report noting the attackers’ use of the custom web shell VersaMem led them to attribute the campaign to the Chinese Volt Typhoon group with ‘moderate confidence’.
Volt Typhoon continues targeting US infrastructure
Volt Typhoon is believed to be a state-sponsored hacking group operating out of China and predominantly targeting critical infrastructure organizations in the US.
David Sancho, senior threat researcher at Trend Micro, told ITPro the company has been tracking the Volt Typhoon for some time, outlining the groups’ tactics, techniques, and proceduress.
“Volt Typhoon, a Chinese threat actor with political motivations, has captured the attention of us for a while due to its persistent threats. Over the past year, the sophisticated group has targeted critical infrastructure within the United States, demonstrating an evolving threat to national security,” he said.
“The group primarily employs "living off the land" techniques, leveraging tools already in compromised systems to avoid detection. This is complemented by the use of open-source and custom-built tools. Given Volt Typhoon's political motivations, as opposed to purely financial, organizations within the public sector and those operating in critical industries face the highest risk of compromise.”
Earlier this year, the National Security Agency (NSA), FBI, and Cybersecurity and Infrastructure Agency (CISA) issued a joint report detailing how the group had compromised networks of a series of critical infrastructure organizations.
These firms ran the gamut of critical infrastructure sectors, from communications, energy, transportation and water to defense and healthcare.
Around the same time, both Microsoft and OpenAI issued a warning about how the group were leveraging generative AI and LLM-enhanced scripting techniques to launch a greater volume of more sophisticated attacks.
Speaking to ITPro, Adam Marrè, CISO at Arctic Wolf said the fact that the group has recently been targeting internet providers should not come as a surprise given their track record attacking critical infrastructure.
“Much like power grids and water systems, the ubiquity of internet access has made it a core piece of our critical infrastructure. As the backbone of societal operations around the world – it isn’t surprising we’re seeing more and more attacks that target internet service providers specifically; similar to the Halliburton attack last week,” he explained.
“This exploitation conducted by Volt Typhoon is another example in a long string of attacks that the group has conducted. The People's Republic of China continues to be the most concerning strategic adversary to the United States,” Marrè added.
“These actions, and many others over the last few years, show us that the cyber elements of the PLA, as exemplified by Volt Typhoon, are preparing for possible conflict and continuing to steal intellectual property and other information at an aggressive pace. “
Marrè stressed that organizations outside of the US should also be wary of similar attacks, citing a recent attack on a German medical facility.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.