A huge, gaping vulnerability in Versa Director allowed a Chinese state sponsored APT group to pivot into countless enterprises. Dubbed Volt Typhoon, the group’s aim is to be ready for cyberwar between the PRC and America, “to induce panic.” So, yeah, this is a major problem.
But Versa Networks, Inc. made the classic PR faux pas of blaming its own customers—major U.S. ISPs and MSPs. In today’s SB Blogwatch, we break out the popcorn.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Handpan and hair.
What’s the craic? Lorenzo Franceschi-Bicchierai reports: Chinese government hackers targeted US internet providers with zero-day
“Real-world harm”
A group of hackers … known as Volt Typhoon was exploiting the zero-day flaw. … Versa sells software to manage network configurations, and is used by internet service providers (ISPs) and managed service providers (MSPs), which makes Versa “a critical and attractive target.”
…
Volt Typhoon … focuses on targeting critical infrastructure, including communication and telecom networks, with the goal of causing “real-world harm” in the event of a future conflict with the United States. [They] were targeting Versa servers as crossroads where they could then pivot into other networks, … “because of the access that they could potentially provide to additional downstream customers.”
Horse’s mouth? Black Lotus Labs’ Michael Horka: Taking the Crossroads
“June 12”
A zero-day vulnerability in Versa Director servers, identified as CVE-2024-39717, … is found in Versa software-defined wide area network (SD-WAN) applications and affects all Versa Director versions prior to 22.1.4. [We] identified a unique, custom-tailored web shell that is tied to this vulnerability, which we call “VersaMem.” The web shell’s primary purpose is to intercept and harvest credentials which would enable access into downstream customers’ networks.
…
[We] observed the zero-day exploitation … dating back to at least June 12, 2024. … IoCs [at] our GitHub page.
Black Lotus whatnow? All aboard the Brian Krebs cycle: New 0-Day Attacks Linked to China’s ‘Volt Typhoon’
“Blame on Versa customers”
Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest backbones … said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group. … Volt Typhoon [is] focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.
…
CISA … joined the FBI and NSA in warning [they] “assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement … to disrupt functions.” … FBI Director Christopher Wray said China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” and that China’s plan is to “land blows against civilian infrastructure to try to induce panic.”
…
Versa … placed much of the blame on … customers who “failed to implement system hardening and firewall guidelines, … leaving a management port exposed on the internet that provided the threat actors with initial access.”
I’m sorry? It’s the customers’ fault? That’s how IGotOut reads it:
Sigh. I really hope this isn’t as it reads, i.e., blame the customer, not the manufacturer.
Sure looks like it. Lonestar1440 is less even-handed:
Close the damn ports. … If ISPs are leaving management ports open on the Internet, it’s going to take more than a vendor patch to protect them from cyber warfare. … You can, as an organization, choose to … be “Secure by default”, with exceptions—e.g., “Open a port other than 443 to the Internet.”
Major service providers should know better. starglider reminds us of the threat profile:
The concern isn’t really all that significant for end-users; the biggest concern they would have is likely privacy-related. … The ISP itself is the vulnerable target; once inside, the attackers could do a lot of damage, including shutting off access for all of their customers, some of whom are potentially hospitals, electric companies, etc.
It still sounds like victim blaming, though. mmell smells blood in the water:
So the problem is with Versa’s product, it’s been known and fixed for over a [month] and US … ISPs are still getting their asses handed to ’em by the Chinese government. Yeah, this time let’s kill the victim.
Those ISP’s should be sued into oblivion to pay for the damages they’ve caused by failing to maintain their software products correctly. This is one of the rare cases where it can truly be said the victims (the ISPs) brought it upon themselves. Their customers, of course, will pay the price.
If a firm sounds like security naïfs, perhaps they really are. Clark Huxley looks for clues:
Versa also appears to have not invested internally in security: I can only find two full-time employees in technical security, and no CISO position at all.
Versa’s leadership page shows no one technical on the leadership team: It’s the CEO, the former CEO (as CDO and “Chief Soul Officer?”) and sales/marketing roles. Not even a CTO—let alone a CISO.
Meanwhile, what of China’s strategy? 2OEH8eoCRo0 doesn’t sound optimistic:
We are so ****ed. We just don’t know it yet.
An hour of lower blood pressure
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @richi@vmst.io, @richi.bsky.social or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Alejandro Luengo (via Unsplash; leveled, flipped and cropped)
WordPress is the most widely used content management system globally, with over 478 million of all websites are built on its…
We are excited to announce the release of Goffloader, a pure Go implementation of an in-memory COFFLoader and PE loader.…
Reading Time: 5 min Secure your domain with our expert DMARC provider and management services. Enjoy seamless DMARC management, continuous…
Navigating the world of SOC 2 compliance can seem daunting for startups. This article breaks down the complexities, explaining what…
Interior view of workers at one of the steel processing plants in Hamilton, circa 1920. (MIKAN 4915719) - Image Courtesy…
Labor Day 2024 - Three Day Weekend Edition! Permalink