Volt Typhoon Exploits Versa Director Vulnerability, Targets U.S. and Global IT Sectors

Versa Networks, whose customers include major global enterprises, has urged affected clients to implement the necessary system hardening and firewall guidelines

Chinese cyber espionage group Volt Typhoon has been linked to the exploitation of a zero-day vulnerability in Versa Director, a secure access service edge (SASE) solution, impacting multiple U.S. and global IT entities. The flaw, tracked as CVE-2024-39717, allows attackers with specific administrative privileges to upload malicious files disguised as PNG images via the "Change Favicon" feature in the Versa Director GUI.

Black Lotus Labs at Lumen Technologies reported that the attacks, which began on June 12, 2024, targeted U.S. and non-U.S. victims in the ISP, MSP, and IT sectors. The ongoing campaign exploits unpatched Versa Director Systems to deploy a custom web shell, dubbed "VersaMem," designed to intercept credentials and enable downstream supply chain attacks. Volt Typhoon’s modus operandi aligns with its history of exploiting small office and home office (SOHO) network equipment to maintain stealthy access and evade detection. The group is believed to have tested the web shell on non-U.S. victims before deploying it in the U.S.

Versa Networks, whose customers include major global enterprises, has urged affected clients to implement the necessary system hardening and firewall guidelines. Cybersecurity experts advise blocking external access to specific ports and monitoring for suspicious PNG files and network traffic as critical mitigations against this ongoing threat.