Compromiseseverity: High2024-08-22

Volt Typhoon exploits Versa Director zero-day (CVE-2024-39717)

published by Lumen Black Lotus Labs

Actor

PRC state-sponsored actor focused on pre-positioning in U.S. critical infrastructure (communications, energy, transportation, water). Heavy use of living-off-the-land techniques and small-office/home…

Summary

Lumen Black Lotus Labs disclosed that Volt Typhoon had been exploiting a zero-day in Versa Director (CVE-2024-39717) since at least 12 June 2024 to drop a custom Java web shell, VersaMem, on internet-facing SD-WAN management appliances at U.S. ISPs and MSPs and one non-U.S. provider. The web shell harvested credentials in process memory to enable downstream access — consistent with Volt Typhoon's pattern of stealthy pre-positioning in critical-infrastructure adjacent networks.

Primary source

blog.lumen.com

Other Volt Typhoon events

2024-02-07Joint CISA/NSA/FBI advisory AA24-038A on Volt Typhoon
2024-01-31DOJ disrupts KV-botnet of compromised SOHO routers
2023-05-24Volt Typhoon publicly named, targeting U.S. critical infrastructure

Summary

Tags

Primary source

Other Volt Typhoon events