Chinese Hackers Exploit Versa Director Zero-Day to Hit IT Sectors

Chinese state-sponsored threat actors Volt Typhoon and Bronze Silhouette exploited a zero-day vulnerability (CVE-2024-39717) in Versa Director servers, which allows attackers to gain administrative access and deploy a custom web shell, VersaMem, to intercept and harvest credentials. 

This web shell also enabled attackers to load additional Java code in memory by targeting ISP, MSP, and IT sectors, compromising SOHO devices and gaining access to downstream customer networks. 

Versa Networks released patches in July and August, and organizations using Versa Director should upgrade to version 22.1.4 or later to mitigate the risk.

Overview of the Versa Director exploitation process and the VersaMem web shell functionality. 

VersaMem intercepts plaintext user credentials and hooks system functions to load additional malicious Java modules in memory, all without leaving traces on disk. Attackers likely exploit port 4566, used for Versa node pairing, to gain initial access, followed by HTTPS traffic on port 443 for further exploitation. 

The JAR web shell “VersaMem” was likely compiled using Apache Maven on June 3, 2024, in China. Its name “Director_tomcat_memShell” and bundle name “VersaTest” suggest it was intended to target Versa Director servers. 

It was uploaded to VirusTotal on June 7, 2024, and its main class, com.versa.vnms.ui.TestMain, indicates its entry point. Despite being uploaded to VirusTotal, as of mid-August 2024, the web shell still had no detections, which suggests that it may be a new or relatively unknown threat. 

Screenshot from VirusTotal for VersaTest.png showing 0 detections. 

The TestMain class serves as the entry point for the web shell, launching a Java VM and attaching it to an active Apache Tomcat process, which uses the Java Instrumentation API to load the web shell into the Tomcat process, enabling code injection and function call hooking. 

It contains “premain” and “agentmain” functions that are triggered upon loading the web shell, which call the “init” function, which loads a configuration manager, adds a custom ClassFileTransformer to the Instrumentation API, and performs a retransformation to modify the target process’s code.

Screenshot of code from VersaMem TestMain.class “init” function. 

The CoreClassFileTransformer class injects two malicious transformers into the system, which hook the Versa authentication service’s “setUserPassword” method to steal user credentials. 

It achieves this by identifying the relevant class and method, then replacing “setUserPassword” with custom bytecode, which captures username and password, encrypts them with a hardcoded key, and writes the encrypted data to a file on disk.  

Screenshot of code from VersaMem CoreClassFileTransformer.class ”transform” function. 

According to Black Lotus Labs, the WriteTestTransformer class is a malicious Java module that hooks into the Tomcat application filter chain to load in-memory Java bytecode and intercepts inbound requests and checks for specific parameters and headers to authenticate the attacker. 

If authenticated, it loads and executes the provided Javabytecode, allowing the attacker to execute arbitrary code on the compromised system, which is used by the Volt Typhoon threat group to exploit Versa Director servers and gain unauthorized access to sensitive information.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here