News

China Cyberwar Coming? Versa’s Vice: Volt Typhoon’s Target

Versa Networks criticized for swerving the  blame.

A huge, gaping vulnerability in Versa Director allowed a Chinese state sponsored APT group to pivot into countless enterprises. Dubbed Volt Typhoon, the group’s aim is to be ready for cyberwar between the PRC and America, “to induce panic.” So, yeah, this is a major problem.

But Versa Networks, Inc. made the classic PR faux pas of blaming its own customers—major U.S. ISPs and MSPs. In today’s SB  Blogwatch, we break out the popcorn.

Your humble blog­watcher curated these bloggy bits for your enter­tain­ment. Not to mention:  Handpan and hair.

Xi Whiz

What’s the craic? Lorenzo Franceschi-Bicchierai reports: Chinese government hackers targeted US internet providers with zero-day

Real-world harm
A group of hackers … known as Volt Typhoon was exploiting the zero-day flaw. … Versa sells software to manage network configurations, and is used by internet service providers (ISPs) and managed service providers (MSPs), which makes Versa “a critical and attractive target.”

Volt Typhoon … focuses on targeting critical infrastructure, including communication and telecom networks, with the goal of causing “real-world harm” in the event of a future conflict with the United States. [They] were targeting Versa servers as crossroads where they could then pivot into other networks, … “because of the access that they could potentially provide to additional downstream customers.”

Horse’s mouth? Black Lotus Labs’ Michael Horka: Taking the Crossroads

June 12
A zero-day vulnerability in Versa Director servers, identified as CVE-2024-39717, … is found in Versa software-defined wide area network (SD-WAN) applications and affects all Versa Director versions prior to 22.1.4. [We] identified a unique, custom-tailored web shell that is tied to this vulnerability, which we call “VersaMem.” The web shell’s primary purpose is to intercept and harvest credentials which would enable access into downstream customers’ networks.

[We] observed the zero-day exploi­ta­tion … dating back to at least June 12, 2024. … IoCs [at] our GitHub page.

Black Lotus whatnow? All aboard the Brian Krebs cycle: New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

Blame on Versa customers
Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest back­bones … said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group. … Volt Typhoon [is] focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.

CISA … joined the FBI and NSA in warning [they] “assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral move­ment … to disrupt functions.” … FBI Director Christopher Wray said China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” and that China’s plan is to “land blows against civilian infrastructure to try to induce panic.”

Versa … placed much of the blame on … customers who “failed to implement system hardening and firewall guide­lines, … leav­ing a management port exposed on the internet that provided the threat actors with initial access.”

I’m sorry? It’s the customers’ fault? That’s how IGotOut reads it:

Sigh. I really hope this isn’t as it reads, i.e., blame the customer, not the manufacturer.

Sure looks like it. Lonestar1440 is less even-handed:

Close the damn ports. … If ISPs are leaving management ports open on the Internet, it’s going to take more than a vendor patch to protect them from cyber warfare. … You can, as an organization, choose to … be “Secure by default”, with exceptions—e.g., “Open a port other than 443 to the Internet.”

Major service providers should know better. starglider reminds us of the threat profile:

The concern isn’t really all that significant for end-users; the biggest concern they would have is likely privacy-related. … The ISP itself is the vulnerable target; once inside, the attackers could do a lot of damage, including shutting off access for all of their customers, some of whom are potentially hospitals, electric companies, etc.

It still sounds like victim blaming, though. mmell smells blood in the water:

So the problem is with Versa’s product, it’s been known and fixed for over a [month] and US … ISPs are still getting their asses handed to ’em by the Chinese government. Yeah, this time let’s kill the victim.

Those ISP’s should be sued into oblivion to pay for the damages they’ve caused by failing to maintain their software products correctly. This is one of the rare cases where it can truly be said the victims (the ISPs) brought it upon themselves. Their customers, of course, will pay the price.

If a firm sounds like security naïfs, perhaps they really are. Clark Huxley looks for clues:

Versa also appears to have not invested internally in security: I can only find two full-time employees in technical security, and no CISO position at all.

Versa’s leadership page shows no one technical on the leadership team: It’s the CEO, the former CEO (as CDO and “Chief Soul Officer?”) and sales/marketing roles. Not even a CTO—let alone a CISO.

Meanwhile, what of China’s strategy? 2OEH8eoCRo0 doesn’t sound optimistic:

We are so ****ed. We just don’t know it yet.

And Finally:

An hour of lower blood pressure

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weird­est web­sites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @richi@vmst.io, @richi.bsky.social or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guar­antee of future results. Do not stare into laser with re­maining eye. E&OE. 30.

Image sauce: Alejandro Luengo (via Unsplash; leveled, flipped and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

Recent Posts

WordPress Sites at Risk from WPML Flaw

WordPress is the most widely used content management system globally, with over 478 million of all websites are built on its…

3 hours ago

Introducing Goffloader: A Pure Go Implementation of an In-Memory COFFLoader and PE Loader

We are excited to announce the release of Goffloader, a pure Go implementation of an in-memory COFFLoader and PE loader.…

10 hours ago

The Role of Digital Adoption in Email Deliverability & Security

Reading Time: 5 min Secure your domain with our expert DMARC provider and management services. Enjoy seamless DMARC management, continuous…

17 hours ago

Demystifying SOC 2 Compliance for Startups: A Simple Guide

Navigating the world of SOC 2 compliance can seem daunting for startups. This article breaks down the complexities, explaining what…

17 hours ago

Happy Canada Labour Day! / Bonne Fête du Travail Canadienne!

Interior view of workers at one of the steel processing plants in Hamilton, circa 1920. (MIKAN 4915719) - Image Courtesy…

18 hours ago