The Register: Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

Source URL: https://www.theregister.com/2024/08/27/chinas_volt_typhoon_versa/
Source: The Register
Title: Volt Typhoon suspected of exploiting Versa SD-WAN bug since June

Feedly Summary: The same Beijing-backed cyber spy crew the feds say burrowed into US critical infrastructure
It looks like China’s Volt Typhoon has found a new way into American networks as Versa has disclosed a nation-state backed attacker has exploited a high-severity bug affecting all of its SD-WAN customers using Versa Director.…

AI Summary and Description: Yes

**Summary:** The text discusses an ongoing cybersecurity threat where a nation-state-backed group, China’s Volt Typhoon, has exploited a severe vulnerability in Versa’s SD-WAN product, leading to credential theft and unauthorized access to customer networks. This incident underlines significant concerns about software security and the importance of implementing robust security measures in technology products.

**Detailed Description:**
The incident outlines a critical cybersecurity threat involving a vulnerability in Versa’s SD-WAN product, analyzed as follows:

– **Vulnerability Details**:
– Tracked as CVE-2024-39717, this vulnerability allows privileged users to upload malicious files and affects all customers using Versa Director, particularly those who did not apply recommended hardening and firewall guidelines.

– **Malware Characteristics**:
– The attackers deployed a custom web shell, named VersaMem, which is capable of credential harvesting and further access to service providers’ downstream customers.

– **Threat Attribution**:
– Linked to Volt Typhoon, a Chinese state-sponsored espionage group, the threat has been described as sophisticated and fits their established pattern of targeting edge systems.

– **Security Advisory**:
– Versa has issued a patch and recommended upgrades to version 22.1.4 or later. However, the exploitation of the vulnerability has already been confirmed in at least one instance.

– **Implications for Cybersecurity**:
– The incident emphasizes the critical need for secure-by-design software practices. Doug Britton from RunSafe Security highlighted the operational errors made by technology manufacturers and users alike, stressing the need for improved defaults in security measures.

– **Recommended Actions**:
– As a response to this incident, it’s crucial for all affected organizations to apply the latest patches and revisit security and hardening guidelines to mitigate vulnerability exposure moving forward.

– **Broader Security Considerations**:
– The situation serves as a reminder of the vulnerabilities associated with software that manages critical infrastructures, echoing sentiments from CISA about the need for inherent security in software products.

This incident illustrates the growing threats posed by sophisticated cyber adversaries and the obligation for both vendors and users to prioritize cybersecurity in their operations. The exploitation of the vulnerability not only compromises individual organizations but also poses risks at a national infrastructure level. Security professionals should take note of the proactive measures recommended by CISA and the industry to safeguard against such sophisticated attacks.