Arthur T Knackerbracket has processed the following story:
This vulnerability, tracked as CVE-2024-39717, is being abused to plant custom, credential-harvesting web shells on customers' networks, according to Black Lotus Labs. Lumen Technologies' security researchers have attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems."
Volt Typhoon is the Beijing-backed cyberspy crew that the feds have accused of burrowing into US critical infrastructure networks while readying "disruptive or destructive cyberattacks" against these vital systems.
Versa Director is a software tool that allows for the central management and monitoring of Versa SD-WAN software. It's generally used by internet service providers (ISPs) and managed service providers (MSPs) to maintain their customers' network configurations — and this makes it an attractive target for cybercriminals because it gives them access to the service providers' downstream customers.
That appears to be the case with this CVE, as Versa notes the attacks target MSPs for privilege escalation.
[...] Versa has since released a patch, and encourages all customers to upgrade to Versa Director version 22.1.4 or later and apply the hardening guidelines. But the advice comes too late for some, as we're told: "This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor."
[...] "Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024," the threat hunters noted.
After gaining access to the victims' networks via the exposed Versa management port, the attackers deployed the VersaMem web shell, which steals credentials and then allows Volt Typhoon to access the service providers' customers' networks as authenticated users.
"VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory," the security shop added.
[...] Plus, for anyone not yet convinced that software should be secure by design — with the onus for managing security risks falling on technology manufacturers, not the end users — this latest vulnerability should be more proof that CISA is on to something.
"The Versa blog on the topic subtly chastises affected users for failing to implement recommended security guidance," Britton said. "CISA's whole point in Secure by Default is that vendors need to find ways to guarantee that the out of the box system is as secure as possible, minimizing the possibility that overworked operators make these types of errors."
It also highlights the need for vendors to find a way to future-proof their products against unknown flaws, he added. "Commercially available technologies exist that can allow product and software manufacturers the ability to neutralize entire classes of vulns (known and unknown), without devolving into the whack-a-mole game of bug chasing."
(Score: 5, Interesting) by ikanreed on Monday September 09 2024, @01:05PM (1 child)
What exactly is "Volt Typhoon"?
You might think from the way it's discussed in media that it's the name or title of an organization in China. You'd be forgiven for thinking that because it's consistently used as a Proper Noun describing some specific group in every news story that comes up. But there's definitely no group that calls itself that or that the Chinese government code names "Volt Typhoon". Instead, it's the label that American intelligence uses to describe any hackers who seem, by way of evidence such as what tools they use, to be probably, most likely backed in some way by the Chinese government.
There's no direct evidence of even that, it's just there are hacking techniques that don't seem to be published through known venues, shared by multiple actors, and may have a pattern of behavior that sources them from Chinese locations. It's one-third PR campaign to make state agencies take digitial security seriously, one third PR campaign to attack a national enemy and one third based on some coherent measurable reality.
(Score: 0) by Anonymous Coward on Tuesday September 10 2024, @01:18AM
The "scene" sounds more capitalist than communist - maybe even less state sponsored than Boeing... 🤣
https://apnews.com/article/chinese-hacking-leak-documents-surveillance-spying-6276e8662ddf6f2c1afbae994d8b3aa2 [apnews.com]
https://www.theguardian.com/technology/2024/feb/25/china-cyber-leak-hacking-program-security [theguardian.com]