China-linked APT Volt Typhoon<\/a> exploited a zero-day vulnerability, tracked as CVE-2024-39717<\/a>, in Versa Director, to deploy a custom webshell on breached networks.<\/p>\n\n\n\n
“This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.” reads the advisory<\/a> published by Versa Networks.<\/em><\/p>\n\n\n\n
The vulnerability impacts Versa Director versions 22.1.3, 21.2.3, 22.1.2.<\/p>\n\n\n\n
Researchers at Lumen’s Black Lotus Labs discovered a zero-day vulnerability in Versa Director on June 17. The experts spotted a malicious Java binary named “VersaTest.png” uploaded from Singapore to VirusTotal<\/a>. The file was analyzed and found to be a custom Java web shell, internally named “Director_tomcat_memShell” and referred to by researchers as “VersaMem.” This malware, designed specifically for Versa Director, currently has zero detections on VirusTotal.
“Black Lotus Labs identified a unique, custom-tailored web shell that is tied to this vulnerability, which we call \u201cVersaMem.\u201d The web shell\u2019s primary purpose is to intercept and harvest credentials which would enable access into downstream customers\u2019 networks as an authenticated user. VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory. Analysis of our global telemetry identified actor-controlled small-office\/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024.” reads the report<\/a> published by Black Lotus Labs. “The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director\u00a0nodes,\u00a0which\u00a0leads\u00a0to\u00a0exploitation\u00a0and the deployment of the\u00a0VersaMem\u00a0web\u00a0shell.”<\/em><\/p>\n\n\n\n