Chinese Hackers Target Internet Providers in the U.S.

Researchers from Lumen Black Lotus Labs reveal that hackers linked to the Chinese government have exploited a vulnerability in networking software and targeted internet service providers (ISPs) in the United States.

According to the report shared on Tuesday, the research team discovered that malicious actors used a zero-day vulnerability—a security flaw that has not been recognized before—in Versa Director servers, a service provided by Versa Networks to multiple ISPs in the country.

The vulnerability, now identified as CVE-2024-39717, was publicly announced on August 22, and a new security update has been launched. Versa Director versions older than 22.1.4 could be at risk.

Based on their research, experts attribute the attack to Volt Typhoon and Bronze Silhouette, two known threat actors sponsored by the Chinese state.

According to TechCrunch, Volt Typhoon “focuses on targeting critical infrastructure,” its mission is to cause “real-world harm.” This organization wants to disrupt the U.S. military.

Researchers discovered a custom-tailored web shell, with a modular nature, linked to the vulnerability that they called “VersaMem,” used “to intercept and harvest credentials which would enable access into downstream customers’ networks as an authenticated user.”

The investigation also detailed that affected devices were located in small and home offices. In June, Black Lotus Labs recognized four U.S. victims and one non-U.S. victim. The malicious actors gained administrative access and deployed and exploited the VersaMem web shell.

Later, hackers were trying to access other networks linked to Versa Network. “This wasn’t limited to just telecoms, but managed service providers and internet service providers,” said Mike Horka, one of the security researchers to TechCrunch. “These central locations that they can go after, which then provide additional access.”

Black Lotus Labs and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) recommend organizations update their services, look for malicious activities, and report any findings.