Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 14 submissions in the queue.
posted by hubie on Monday September 09 2024, @12:19AM   Printer-friendly

Arthur T Knackerbracket has processed the following story:

This vulnerability, tracked as CVE-2024-39717, is being abused to plant custom, credential-harvesting web shells on customers' networks, according to Black Lotus Labs. Lumen Technologies' security researchers have attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems."

Volt Typhoon is the Beijing-backed cyberspy crew that the feds have accused of burrowing into US critical infrastructure networks while readying "disruptive or destructive cyberattacks" against these vital systems.

Versa Director is a software tool that allows for the central management and monitoring of Versa SD-WAN software. It's generally used by internet service providers (ISPs) and managed service providers (MSPs) to maintain their customers' network configurations — and this makes it an attractive target for cybercriminals because it gives them access to the service providers' downstream customers.

That appears to be the case with this CVE, as Versa notes the attacks target MSPs for privilege escalation. 

[...] Versa has since released a patch, and encourages all customers to upgrade to Versa Director version 22.1.4 or later and apply the hardening guidelines. But the advice comes too late for some, as we're told: "This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor."

[...] "Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024," the threat hunters noted.

After gaining access to the victims' networks via the exposed Versa management port, the attackers deployed the VersaMem web shell, which steals credentials and then allows Volt Typhoon to access the service providers' customers' networks as authenticated users. 

"VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory," the security shop added.

[...] Plus, for anyone not yet convinced that software should be secure by design — with the onus for managing security risks falling on technology manufacturers, not the end users — this latest vulnerability should be more proof that CISA is on to something.

"The Versa blog on the topic subtly chastises affected users for failing to implement recommended security guidance," Britton said. "CISA's whole point in Secure by Default is that vendors need to find ways to guarantee that the out of the box system is as secure as possible, minimizing the possibility that overworked operators make these types of errors."

It also highlights the need for vendors to find a way to future-proof their products against unknown flaws, he added. "Commercially available technologies exist that can allow product and software manufacturers the ability to neutralize entire classes of vulns (known and unknown), without devolving into the whack-a-mole game of bug chasing."


Original Submission

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Interesting) by ikanreed on Monday September 09 2024, @01:05PM (1 child)

    by ikanreed (3164) on Monday September 09 2024, @01:05PM (#1371910) Journal

    What exactly is "Volt Typhoon"?

    You might think from the way it's discussed in media that it's the name or title of an organization in China. You'd be forgiven for thinking that because it's consistently used as a Proper Noun describing some specific group in every news story that comes up. But there's definitely no group that calls itself that or that the Chinese government code names "Volt Typhoon". Instead, it's the label that American intelligence uses to describe any hackers who seem, by way of evidence such as what tools they use, to be probably, most likely backed in some way by the Chinese government.

    There's no direct evidence of even that, it's just there are hacking techniques that don't seem to be published through known venues, shared by multiple actors, and may have a pattern of behavior that sources them from Chinese locations. It's one-third PR campaign to make state agencies take digitial security seriously, one third PR campaign to attack a national enemy and one third based on some coherent measurable reality.

    • (Score: 0) by Anonymous Coward on Tuesday September 10 2024, @01:18AM

      by Anonymous Coward on Tuesday September 10 2024, @01:18AM (#1371968)

      The "scene" sounds more capitalist than communist - maybe even less state sponsored than Boeing... 🤣
      https://apnews.com/article/chinese-hacking-leak-documents-surveillance-spying-6276e8662ddf6f2c1afbae994d8b3aa2 [apnews.com]

      Leaked chat records show I-Soon executives wooing officials over lavish dinners and late night binge drinking. They collude with competitors to rig bidding for government contracts. They pay thousands of dollars in “introduction fees” to contacts who bring them lucrative projects. I-Soon has not commented on the documents.

      Mei Danowski, a cybersecurity analyst who wrote about I-Soon on her blog, Natto Thoughts, said the documents show that China’s hackers for hire work much like any other industry in China.

      “It is profit-driven,” Danowski said. “It is subject to China’s business culture — who you know, who you dine and wine with, and who you are friends with.”

      https://www.theguardian.com/technology/2024/feb/25/china-cyber-leak-hacking-program-security [theguardian.com]

      Judging from the leaks, most of I-Soon’s customers were provincial or local police departments – as well as province-level state security agencies responsible for protecting the Communist party from perceived threats to its rule. The firm also offered clients help protecting their devices from hacking and securing their communications – with many of their contracts listed as “non-secret”

(1)