New 0Day Attacks Linked to Chinas Volt Typhoon Krebs on Security
pMalicious hackers are exploiting a zeroday vulnerability in Versa Director a software product used by many Internet and IT service providers Researchers believe the activity is linked to Volt Typhoon a Chinese cyber espionage group focused on infiltrating critical US networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with ChinappImage ShutterstockcomppVersa Director systems are primarily used by Internet service providers ISPs as well as managed service providers MSPs that cater to the IT needs of many small to midsized businesses simultaneously In a security advisory published Aug 26 Versa urged customers to deploy a patch for the vulnerability CVE202439717 which the company said is fixed in Versa Director 2214 or laterppVersa said the weakness allows attackers to upload a file of their choosing to vulnerable systems The advisory placed much of the blame on Versa customers who failed to implement system hardening and firewall guidelinesleaving a management port exposed on the internet that provided the threat actors with initial accessppVersas advisory doesnt say how it learned of the zeroday flaw but its vulnerability listing at mitreorg acknowledges there are reports of others based on backbone telemetry observations of a 3rd party provider however these are unconfirmed to dateppThose thirdparty reports came in late June 2024 from Michael Horka senior lead information security engineer at Black Lotus Labs the security research arm of Lumen Technologies which operates one of the global Internets largest backbonesppIn an interview with KrebsOnSecurity Horka said Black Lotus Labs identified a webbased backdoor on Versa Director systems belonging to four US victims and one nonUS victim in the ISP and MSP sectors with the earliest known exploit activity occurring at a US ISP on June 12 2024ppThis makes Versa Director a lucrative target for advanced persistent threat APT actors who would want to view or control network infrastructure at scale or pivot into additional or downstream networks of interest Horka wrote in a blog post published todayppBlack Lotus Labs said it assessed with medium confidence that Volt Typhoon was responsible for the compromises noting the intrusions bear the hallmarks of the Chinese statesponsored espionage group including zeroday attacks targeting IT infrastructure providers and Javabased backdoors that run in memory onlyppIn May 2023 the National Security Agency NSA the Federal Bureau of Investigation FBI and the Cybersecurity Infrastructure Security Agency CISA issued a joint warning PDF about Volt Typhoon also known as Bronze Silhouette and Insidious Taurus which described how the group uses small officehome office SOHO network devices to hide their activityppIn early December 2023 Black Lotus Labs published its findings on KVbotnet thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese statesponsored hacking groups including Volt TyphoonppIn January 2024 the US Department of Justice disclosed the FBI had executed a courtauthorized takedown of the KVbotnet shortly before Black Lotus Labs released its December reportppIn February 2024 CISA again joined the FBI and NSA in warning Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations primarily in communications energy transportation systems and water and wastewater sectors in the continental and noncontinental United States and its territories including GuamppVolt Typhoons choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations and the US authoring agencies assess with high confidence that Volt Typhoon actors are prepositioning themselves on IT networks to enable lateral movement to OT operational technology assets to disrupt functions that alert warnedppIn a speech at Vanderbilt University in April FBI Director Christopher Wray said China is developing the ability to physically wreak havoc on our critical infrastructure at a time of its choosing and that Chinas plan is to land blows against civilian infrastructure to try to induce panicppRyan English an information security engineer at Lumen said its disappointing his employer didnt at least garner an honorable mention in Versas security advisory But he said hes glad there are now a lot fewer Versa systems exposed to this attackppLumen has for the last nine weeks been very intimate with their leadership with the goal in mind of helping them mitigate this English said Weve given them everything we could along the way so it kind of sucks being referenced just as a third partypp
This entry was posted on Tuesday 27th of August 2024 1026 AM
ppThis post is astonishing and alarming The Chinese are preparing for war Its said that if you dont trade goods you trade bulletsI sure hope the US has something positive planned for when the RussiansIraniansChinese try to take down our internetppTheyre not just taking down our internet Theyre taking down our entire infrastructure World War 3 will be not be fought with aircraft carriers and jet fighters It is already being fought with keyboardsppActually World War III will be fought with both analog and digital weapons In fact as the current wars raging around the world have shown those are no longer separate modes its one integrated battlefield nowpp San sanstudiocomppI wouldnt be anymore alarmed then you were yesterday China has been up to this for ages Its a normal part of their tactics They even sell insecure products by design so they can breach you whenever they feel like itppYou act as if the US didnt open this Pandoras box with Stuxnet And as if leaks have not already proven the same has already happened in reverse and this is just China doing the same thing in return So by your logic wouldnt that be The Americans are preparing for war What goes around comes around but like usual Americans are mad when the messed up world security state they created comes around to bite them as well It happened with nuclear weapons and now its happening with cyber The way I see it its not so much a preparation for war as it is that they are simply doing what the US has been doing all along just like with the military civilian fusion that Americans love to complain about Whats good for the goose is good for the gander they sayppvictim inMSP sector Id love to see details emerge about this because Versa worked with some large MSPs which may have had dozens if not hundreds of clients using Versa systems Versa also appears to have not invested internally in security a quick search on LinkedIn and I can only find two fulltime employees in technical security and no CISO position at all Versas leadership page shows no one technical on the leadership team its the CEO the former CEO as CDO and Chief Soul Officer and salesmarketing roles Not even a CTO let alone a CISOppVersa also appears to have not invested internally in security Well not sure they would agree The advisory placed much of the blame on Versa customers Sure blame your customersppThe advisory placed much of the blame on Versa customers who failed to implement system hardening and firewall guidelines
Zero trust should be the default When you provide a product that has such granular and elevated access to sensitive systems LOCK IT DOWN
If the client complains that it breaks things then the onus is on them to upskill or redesign processes so they do work safely and securely
Quit the victim blaming when security is also your responsibilityppHopefully there is something similar to a kill switch that disables the boundary nodes The ways you can come in from anywhere in the world into the US internet are physically limited by the trunks that carry the data Those boundary nodes are well known and their count may be high but is not infinite Ill wager we have the great firewall too after a fashion If we do we just choose not to use it on a daily basis against our populaceppis there another way to see this other than prepping to attackstart war
Chinese cyber espionage group focused on infiltrating critical US networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China
Volt Typhoons choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations and the US authoring agencies assess with high confidence that Volt Typhoon actors are prepositioning themselves on IT networks to enable lateral movement to OT operational technology assets to disrupt functionsppSecurity researchers revealed the latest recorded zeroday attack on Versa Director Software was attributed to APT Volt Typhoon which focuses on the United States critical systems The group targets the weaknesses of systems employed by ISPs and MSPs and seems to intend to interfere with USAsia interactions in future conflicts An initial and severely upsetting security advisory came from Versa to patch the discovered vulnerability CVE202439717 The Black Lotuthatabs have identified backdoors in the affected system and linked the activity to the threat group Volt Typhoon Krebs 2019 They are famous for Organized IT systems attacks on the first day of these systems utilization and Javabased hidden backdoors They have been reported before by security organizations today such as the NSA as well as the FBI as a group that utilizes refined methodsppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Tuesday 27th of August 2024 1026 AM
ppThis post is astonishing and alarming The Chinese are preparing for war Its said that if you dont trade goods you trade bulletsI sure hope the US has something positive planned for when the RussiansIraniansChinese try to take down our internetppTheyre not just taking down our internet Theyre taking down our entire infrastructure World War 3 will be not be fought with aircraft carriers and jet fighters It is already being fought with keyboardsppActually World War III will be fought with both analog and digital weapons In fact as the current wars raging around the world have shown those are no longer separate modes its one integrated battlefield nowpp San sanstudiocomppI wouldnt be anymore alarmed then you were yesterday China has been up to this for ages Its a normal part of their tactics They even sell insecure products by design so they can breach you whenever they feel like itppYou act as if the US didnt open this Pandoras box with Stuxnet And as if leaks have not already proven the same has already happened in reverse and this is just China doing the same thing in return So by your logic wouldnt that be The Americans are preparing for war What goes around comes around but like usual Americans are mad when the messed up world security state they created comes around to bite them as well It happened with nuclear weapons and now its happening with cyber The way I see it its not so much a preparation for war as it is that they are simply doing what the US has been doing all along just like with the military civilian fusion that Americans love to complain about Whats good for the goose is good for the gander they sayppvictim inMSP sector Id love to see details emerge about this because Versa worked with some large MSPs which may have had dozens if not hundreds of clients using Versa systems Versa also appears to have not invested internally in security a quick search on LinkedIn and I can only find two fulltime employees in technical security and no CISO position at all Versas leadership page shows no one technical on the leadership team its the CEO the former CEO as CDO and Chief Soul Officer and salesmarketing roles Not even a CTO let alone a CISOppVersa also appears to have not invested internally in security Well not sure they would agree The advisory placed much of the blame on Versa customers Sure blame your customersppThe advisory placed much of the blame on Versa customers who failed to implement system hardening and firewall guidelines
Zero trust should be the default When you provide a product that has such granular and elevated access to sensitive systems LOCK IT DOWN
If the client complains that it breaks things then the onus is on them to upskill or redesign processes so they do work safely and securely
Quit the victim blaming when security is also your responsibilityppHopefully there is something similar to a kill switch that disables the boundary nodes The ways you can come in from anywhere in the world into the US internet are physically limited by the trunks that carry the data Those boundary nodes are well known and their count may be high but is not infinite Ill wager we have the great firewall too after a fashion If we do we just choose not to use it on a daily basis against our populaceppis there another way to see this other than prepping to attackstart war
Chinese cyber espionage group focused on infiltrating critical US networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China
Volt Typhoons choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations and the US authoring agencies assess with high confidence that Volt Typhoon actors are prepositioning themselves on IT networks to enable lateral movement to OT operational technology assets to disrupt functionsppSecurity researchers revealed the latest recorded zeroday attack on Versa Director Software was attributed to APT Volt Typhoon which focuses on the United States critical systems The group targets the weaknesses of systems employed by ISPs and MSPs and seems to intend to interfere with USAsia interactions in future conflicts An initial and severely upsetting security advisory came from Versa to patch the discovered vulnerability CVE202439717 The Black Lotuthatabs have identified backdoors in the affected system and linked the activity to the threat group Volt Typhoon Krebs 2019 They are famous for Organized IT systems attacks on the first day of these systems utilization and Javabased hidden backdoors They have been reported before by security organizations today such as the NSA as well as the FBI as a group that utilizes refined methodsppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
