Versa Director Zero Day Exploitation

Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[1]

ID: C0039
First Seen:  June 2024 [1]
Last Seen:  August 2024 [1]
Version: 1.0
Created: 27 August 2024
Last Modified: 28 September 2024

Groups

ID Name Description
G1017 Volt Typhoon

Versa Director Zero Day Exploitation was conducted by Volt Typhoon between June and August 2024.[1]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.[1]

Enterprise T1584 .008 Compromise Infrastructure: Network Devices

Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.[1]

Enterprise T1587 .001 Develop Capabilities: Malware

Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.[1]

Enterprise T1190 Exploit Public-Facing Application

Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.[1]

Enterprise T1056 Input Capture

Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.[1]

Enterprise T1095 Non-Application Layer Protocol

Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.[1]

Software

References