Since July 12, four unnamed American Internet Service Providers (ISPs) have been hacked. All of these ISPs used the same platform to manage and control large network enterprises. By compromising this platform, hackers were able to steal encrypted customer credentials.
Black Lotus Labs first discovered and reported the vulnerability in the Versa Director (the platform used by these four ISPs) two days ago. Researchers identified the first exploitation of the vulnerability as far back as June 12, 2024, but it was only fixed on August 26, 2024.
Attackers hijacked small office and home office routers to compromise Versa Director systems. They were able to get into Versa’s systems thanks to an exposed port that was supposed to be protected by a hardened firewall, but the affected ISPs did not follow Versa’s instructions. The attackers used this entry point to inject a malicious Java file called “VersaMem.” There was a bug in the file upload system that was supposed to sanitize this file. This code gave the attacker administrative access to the entire Versa Director dashboard.
Once the JAR file was deployed, the attackers gained remote administrative access and were able to hijack the Versa’s authentication process and begin stealing user credentials (usernames and passwords) before they were encrypted and transmitted. Additionally, the VersaMem JAR file has a modular design, so credential theft is just one of its components. It’s possible that hackers could add more functionality to it, but Black Lotus Labs has only found one module so far.
The malware is highly sophisticated and difficult to detect as it resides only in volatile memory. According to Black Lotus Labs, the VersaMem malware “currently has zero antivirus (AV) detections.” Versa categorizes it as a very serious threat and urges customers to upgrade their Verse Director and follow firewall requirements to enhance security. Versa’s security bulletin update also provides instructions on how to scan infected systems for malicious code.
The sophistication and planning of the attack lead researchers at Black Lotus Labs to believe the culprit is Bolt Typhoon, a Chinese government-sponsored group that has targeted various sectors of U.S. infrastructure.
Source: Versa Blog, Black Lotus Labs, Ars Technica
