A sophisticated hacking campaign has been uncovered, targeting Internet Service Providers (ISPs) with malware designed to steal customer credentials. The attacks, which began in June, exploited a previously unknown vulnerability in a widely-used network management platform.
The Attack
Cybersecurity researchers from Lumen's Black Lotus Labs discovered that hackers, believed to be working for the Chinese government, have been exploiting a critical flaw in Versa Director. This platform is commonly used by ISPs and managed service providers to oversee complex network infrastructures.
The vulnerability, now identified as CVE-2024-39717, allowed attackers to upload malicious Java files and gain elevated privileges on affected systems. Using this access, the hackers installed a custom web shell dubbed "VersaMem," granting them remote administrative control of the compromised Versa Director systems.
Impact on Customers
With this level of access, the malware could intercept customer credentials before they were encrypted, potentially compromising downstream clients. At least four US-based ISPs have been affected, though the full extent of the breach remains unclear.
Stealth Tactics
To avoid detection, the attackers launched their campaign through compromised small office and home office routers. This approach made it challenging to trace the origin of the attacks.
Resolution
Versa Networks has released a patch to address the vulnerability. ISPs and managed service providers using Versa Director versions prior to 22.1.4 are urged to update their systems immediately.
Ongoing Threat
While the vulnerability has been patched, security experts warn that the campaign may still be active. The sophisticated nature of the attacks and the potential involvement of state-sponsored actors underscore the seriousness of this threat to network infrastructure security.
ISPs and their customers are advised to remain vigilant and monitor for any signs of unauthorized access or unusual activity on their networks.