Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[1]
Groups
| ID | Name | Description |
|---|---|---|
| G1017 | Volt Typhoon |
Versa Director Zero Day Exploitation was conducted by Volt Typhoon between June and August 2024.[1] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.[1] |
| Enterprise | T1584 | .008 | Compromise Infrastructure: Network Devices |
Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.[1] |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.[1] |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.[1] |
| Enterprise | T1190 | Exploit Public-Facing Application |
Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.[1] |
|
| Enterprise | T1056 | Input Capture |
Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.[1] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.[1] |
Software
| ID | Name | Description |
|---|---|---|
| S1154 | VersaMem |
VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon.[1] |