Hackers infect ISPs with malware that steals customers’ credentials

Malicious hackers likely working on behalf of the Chinese government have been exploiting a high-severity zero-day vulnerability that allowed them to infect at least four US-based ISPs with malware that steals credentials used by downstream customers, researchers said Tuesday.

The vulnerability resides in the Versa Director, a virtualization platform that allows ISPs and managed service providers to manage complex networking infrastructures from a single dashboard, researchers from Black Lotus Labs, the research arm of security firm Lumen, said. The attacks, which began no later than June 12 and are likely ongoing, allow the threat actors to install “VersaMem,” the name Lumen gave to a custom web shell that gives remote administrative control of Versa Director systems.

Getting admin control of ISP infrastructure

The administrative control allows VersaMem to run with the necessary privileges to hook the Versa authentication methods, meaning the web shell can hijack the execution flow to make it introduce new functions. One of the functions VersaMem added includes capturing credentials at the moment an ISP customer enters them and before they are cryptographically hashed. Once in possession of the credentials, the threat actors work to compromise the customers. Black Lotus didn’t identify any of the affected ISPs, MSPs, or downstream customers.

CVE-2024-39717, as the zero-day is tracked, is an unsanitized file upload vulnerability that allows for the injection of malicious Java files that run on the Versa systems with elevated privileges. Versa patched the vulnerability Monday after Lumen privately reported it earlier. All versions of Versa Director prior to 22.1.4 are affected. To fly under the radar, the threat actor waged their attacks through compromised small office and home office routers.

“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” Tuesday’s report said.

In at least a “few cases,” Black Lotus said in an email, the threat actor appeared to gain initial access to the Versa Director systems through port 4566, which Versa uses to provide what’s known as high-availability pairing between nodes. Versa’s advisory referred to these firewall requirements first released in 2015. The advisory said: “Impacted customers failed to implement system hardening and firewall guidelines mentioned above, leaving a management port exposed on the Internet that provided the threat actors with initial access.”

In Tuesday’s post, Black Lotus researchers wrote:

Black Lotus Labs initially observed anomalous traffic aligning with the possible exploitation of several US victims’ Versa Director servers between at least June 12, 2024, and mid-July 2024. Based on analysis of Lumen’s global telemetry, the initial access port for the compromised Versa Director systems was likely port 4566 which, according to Versa documentation, is a management port associated with high-availability (HA) pairing between Versa nodes. We identified compromised SOHO devices with TCP sessions over port 4566 which were immediately followed by large HTTPS connections over port 443 for several hours. Given that port 4566 is generally reserved for Versa Director node pairing and the pairing nodes typically communicate with this port for extended periods of time, there should not be any legitimate communications to that port from SOHO devices over short timeframes.

We assess the short timeframe of TCP traffic to port 4566 immediately followed by moderate-to-large sessions of HTTPS traffic over port 443 from a non-Versa node IP address (e.g. SOHO device) as a likely signature of successful exploitation. Searching through Lumen’s global telemetry, we identified four U.S. victims and one non-U.S. victim in the ISP, MSP and IT sectors, with the earliest exploitation activity occurring at a US ISP on June 12, 2024.

The following graphic provides an overview of what Black Lotus Labs observes as it relates to the exploitation of CVE-2024-xxxx and the use of the VersaMem web shell: