Chinese Cyber Attacks Suspected on US Undercover Agents

Hackers exploited a zero-day vulnerability in Versa Director—software widely used by ISPs to secure network operations—compromising several internet companies in the United States (US) and abroad, according to Black Lotus Labs, the threat research division of Lumen Technologies.

Lumen suspects the attacks may originate from China.

Lumen noted:

“Based on known and observed tactics and techniques, Black Lotus Labs attributes the zero-day exploitation of CVE-2024-39717 and operational use of the VersaMem web shell with moderate confidence to the Chinese state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette.”

Lumen's researchers identified four US victims and one foreign victim, with targets reportedly including government and military personnel working undercover, as well as other groups of strategic interest to China.

The exploit remains active against unpatched Versa Director systems, the researchers warn.

Brandon Wales, former executive director of the US Cybersecurity and Infrastructure Security Agency (CISA), highlighted the growing sophistication of Chinese cyberattacks and called for increased cybersecurity investments.

He expressed:

“China continues to target U.S. critical infrastructure. The exposing of the Volt Typhoon efforts has obviously resulted in changes in tactics, the tradecraft that they're using, but we know that they are continuing every day to try to compromise U.S. critical infrastructure.”

Black Lotus Labs emphasized the severity of the vulnerability and urged organisations using Versa Director to upgrade to version 22.1.4 or later.

China Denies Allegations

China has denied the allegations, stating that "Volt Typhoon" is actually a ransomware cybercriminal group that refers to itself as the "Dark Power" and is not sponsored by any state or region.

This denial was made by embassy spokesman Liu Pengyu and it was echoed by Lin Jian, spokesperson of China's Ministry of Foreign Affairs, in a communication with the Global Times on 15 April.

According to the findings, Volt Typhoon utilised a specialised web shell known as "VersaMem" to capture user login details.

Overview of the Versa Director exploitation process and the VersaMem web shell functionality

VersaMem is a sophisticated piece of malicious software that attaches itself to different processes and manipulates the Java code of vulnerable servers.

It operates entirely in memory, making it particularly challenging to detect.

Versa Director Servers Targeted in Exploit

The exploit specifically targeted Versa Director servers, which are commonly used by internet and managed service providers, making them prime targets for threat actors looking to penetrate enterprise network management systems.

Versa Networks confirmed the vulnerability on Monday, noting that it had been exploited "in at least one known instance."

According to Lumen, the VersaMem web shell was first detected on VirusTotal on 7 June, shortly before the initial exploitation.

Screenshot from VirusTotal for VersaTest.png (SHA256: 4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37) showing 0 detections

The malware, compiled using Apache Maven, included comments in Chinese characters within the code and remained undetected by antivirus software as of mid-August.