Hackers are exploiting vulnerabilities in network management tools to launch cyber attacks against US internet providers.
Black Lotus Labs, the cybersecurity research division of communications company Lumen Technologies, Revealed The hacking campaign was announced today and researchers at the unit believe it is likely the work of Bolt Typhoon, a state-sponsored hacking group with ties to China. Black Lotus Labs determined the cyberattack began as early as June 12.
The hackers are spreading their malware by exploiting zero-day or unpatched vulnerabilities in Versa Director, a software tool that helps companies manage their networks. The application coordinates sections of a company’s network, linking together geographically dispersed technology assets such as data centers. Versa Director is used by internet providers as well as managed service providers (MSPs) that focus on maintaining other organizations’ technology infrastructure.
Hackers are exploiting this vulnerability using custom malware called VersaMem, a so-called web shell, a malicious program that gives a threat actor remote access to a compromised system. The hackers packaged VersaMem into a JAR file, a file type typically used to store applications written in the Java programming language.
Several key components of the Versa Director are written in Java as well. Some of these modules are run by Apache Tomcat, an open-source tool that provides the software infrastructure that can run Java code. According to Black Lotus Labs, VersaMem works by plugging into and modifying the Versa Director’s Tomcat installation.
The primary goal of the malicious code modifications is to steal administrator Versa Director login credentials. VersaMem extracts the credentials in plaintext format, making them easily readable by hackers. According to Black Lotus Labs, the stolen login information could be used to compromise internet providers and MSPs, as well as those companies’ customers.
Another purpose of VersaMem’s code modifications is to facilitate the installation of additional malware modules, which are loaded in a way that makes them difficult to detect by intrusion prevention systems.
“The above functionality runs solely in memory and no Java files on disk are modified to enable the hooks,” researchers from Black Lotus Labs detailed in a blog post. “This significantly increases the attacker’s chances of evading detection.”
Lumen believes hackers have so far breached at least four companies in the United States and one in India, operating in the telecommunications, MSP and information technology markets.
Researchers first disclosed the Versa Director vulnerability last Thursday. Versa Software Inc., a venture-backed startup that develops network management tools, was informed of the flaw several weeks ago. The company released a patch that removes the vulnerability from customer environments.
photograph: Unsplash
Your vote of support matters to us and helps keep our content free.
With just one click below you can support our mission of providing free, rich, relevant content.
Join the YouTube community
Join a community of over 15,000 #CubeAlumni experts, including many notable figures and experts, such as Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more.
thank you