The Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability to its known exploited vulnerability catalog following a warning last week from Lumen Technologies that Chinese state-sponsored threat actor Volt Typhoon is actively exploiting a zero-day vulnerability in network management platform Versa Director.
According to a report released on Aug. 27, the Black Lotus Labs team at Lumen Technologies discovered an active exploitation of a zero-day vulnerability in Versa Director servers as early as June 12, and attributed it with “moderate confidence” to the notorious China-backed hacker group Volt Typhoon.
CISA Executive Assistant Director for Cybersecurity Jeff Greene said Federal agencies have not been impacted.
“Based on collaboration with our industry partners, CISA issued an alert last Friday adding the Versa Director vulnerability to our known exploited vulnerabilities (KEV) catalog, which is our authoritative source of vulnerabilities that are being actively exploited,” Greene told MeriTalk in an emailed statement. “We issued a new alert yesterday with updated information and we urge all relevant organizations to prioritize patching this vulnerability.”
The exploit allows hackers to acquire user credentials that “enable access into downstream customers’ networks as an authenticated user,” Lumen said.
“This exploitation campaign has remained highly targeted” at internet service providers, managed service providers, and large IT enterprises, Lumen added, including four U.S. victims and one non-U.S. victim.
“At the time of this writing, we assess the exploitation of this vulnerability is limited to Volt Typhoon and is likely ongoing against unpatched Versa Director systems,” the report released Tuesday reads.
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” the report says.
Black Lotus Labs encouraged entities running Versa Director to upgrade to version 22.1.4 or later, review the guidance provided by Versa Networks in customer security advisories sent to customers on July 26 and Aug. 8 and follow additional detection and mitigation steps.
“At this time, CISA has no indication that Federal agencies have been impacted,” Greene said. “While the U.S. government has not attributed this threat to a specific actor, CISA has been clear about the urgent risk to critical infrastructure posed by Chinese cyber actors. We urge critical infrastructure owners and operators to take steps to protect against this threat and improve their security and resilience.”
CISA is calling on organizations leveraging Versa Director to apply necessary updates, hunt for any malicious activity, and report any positive findings to CISA.
