The researchers of the Black Lotus Labs (Lumen Technologies) has detected a cyber attack against four of the ISP's in the united states (Internet Service Provider). Cyber criminals cyber china from a group of The Typhoon (the already well-known to the public access to the infrastructures of the network) used a vulnerability in the software, Versa Director to be installed in a shell on the web, and monitoring the credentials of the client.
Espionage cyber-link exploit zer-day
Versa Director is a platform for virtualizimi, which allows the ISP to manage the infrastructures of the network by a panel of their own. The weakness CVE-2024-39717, and made public on the 22nd of August (patch-it was published on the 26th of August), it was used by a group of The Typhoon, from 12 June to install the VersaMem a shell website, which allows for the theft of credentials to the client.
Due to the vulnerability, cyber criminals cyber china's loaded, a library JAR (the shells on the web) in the systems Versa Director. The use of the the day of zero allows the credentials to be found in clear text, which is then copied to a director in the interim. The initial approach was through the port 4566, the use of the Versa Director, to carry out “that is available to the top” in between the joints.
VersaMem is a shell modular to the internet, so you you can move the module to be different according to the need. The Lumenit have been identified only allows for the theft of a paper credential. For the moment it is not detected by any of the solutions, safety and security, since it does not leave traces on the hard disk (the module is loaded directly into memory).
The weakness is present in all versions of the Versa Director prior to the 22.1.4. The ISP of using the software it should install the update immediately, and follow the recommendations of the Lumen, including the blocking of access to a remote port 4566.
Discussion about this post