Hackers are using a vulnerability in a network management tool to launch cyberattacks against U.S. internet providers.
Black Lotus Labs, the cybersecurity research unit of telecommunications company Lumen Technologies Inc., revealed the hacking campaign today. The unit’s researchers believe that the campaign is likely run by Volt Typhoon, a state-backed hacking group linked to China. Black Lotus Labs has determined that the cyberattacks began as early as June 12.
The hackers are spreading malware using a zero-day or yet-unpatched vulnerability in Versa Director, a software tool that helps companies manage their networks. The application coordinates the sections of a corporate network that link together geographically disparate technology assets such as data centers. Versa Director is used by not only internet providers but also managed service providers, or MSPs, companies that focus on maintaining other organizations’ technology infrastructure.
The hackers are exploiting the vulnerability using a custom piece of malware dubbed VersaMem. It’s a so-called web shell, a malicious program that allows a threat actor to remotely access a compromised system. The hackers packaged VersaMem into a JAR file, a type of file typically used store applications written in the Java programming language.
Several key components of Versa Director are likewise written in Java. Some of those modules are powered by Apache Tomcat, an open-source tool that provides a software foundation on which Java code can run. According to Black Lotus Labs, VersaMem works by attaching to Versa Director’s Tomcat installation and modifying it.
The first purpose of the malicious code changes is to steal administrators’ Versa Director login credentials. VersaMem extracts credentials in a plaintext format, which means they can be readily read by the hackers. According to Black Lotus Labs, the stolen login details could potentially be used to compromise not only internet providers and MSPs but also such companies’ customers.
The other purpose of the code changes made by VersaMem is to facilitate the installation of additional malware modules. Those programs are loaded in a manner that makes them difficult for breach prevention systems to detect.
“The functionality described above occurs in memory only, and no Java files on disk are modified to enable the hooks,” Black Lotus Labs’ researchers detailed in a blog post. “This significantly improves the actor’s chances of avoiding detection.”
The Lumen unit believes that the hackers have so far breached at least four companies in the U.S. and one in India. The companies in question are active across the telecommunications, MSP and information technology markets.
Researchers first disclosed the Versa Director vulnerability last Thursday. Versa Software Inc., the venture-backed startup that develops the network management tool, was notified of the flaw several weeks earlier. It has released a patch that removes the vulnerability from customers’ environments.