Hackers infect ISPs with malware that steals customers' credentials
Hackers linked to the Chinese government exploited a zero-day vulnerability in the Versa Director platform, affecting U.S. ISPs, allowing credential capture via malware before hashing. The vulnerability was patched.
Read original article
Hackers, likely affiliated with the Chinese government, have exploited a critical zero-day vulnerability in the Versa Director platform, affecting at least four U.S.-based Internet Service Providers (ISPs). This vulnerability, tracked as CVE-2024-39717, allows attackers to install a custom web shell named "VersaMem," which grants them remote administrative control over the affected systems. The exploitation began around June 12, 2024, and enables the malware to capture customer credentials before they are securely hashed. The attackers gained initial access through an exposed management port, which was not properly secured according to Versa's guidelines. The vulnerability was patched by Versa after being reported by Lumen's Black Lotus Labs, which noted the sophistication of the threat actors and the potential consequences of such breaches. The report emphasizes the significance of this exploitation campaign, given the critical role of the Versa Director servers in managing network infrastructures. Black Lotus Labs identified several anomalous traffic patterns that indicated successful exploitation, including compromised small office and home office routers.
- Hackers exploited a zero-day vulnerability in the Versa Director platform used by ISPs.
- The malware, named "VersaMem," captures customer credentials before they are hashed.
- Initial access was gained through an unsecured management port.
- The vulnerability was patched after being reported by Lumen's Black Lotus Labs.
- The campaign is considered highly significant due to its potential impact on customer security.
Related
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Mac and Windows users infected by software updates delivered over hacked ISP
Hackers compromised an ISP to deliver malware to Windows and Mac users via software updates, affecting multiple applications. Users are advised to avoid insecure updates and use secure DNS protocols.
SolarWind Web Help Desk Java Deserialization Remote Code Execution Vulnerability
CVE-2024-28986 is a critical vulnerability in SolarWinds Web Help Desk, allowing remote code execution. Users are advised to apply patches, as CISA has included it in its Known Exploited Vulnerabilities Catalog.
Windows 0-day was exploited by North Korea to install advanced rootkit
North Korean hackers exploited a Windows zero-day vulnerability, CVE-2024-38193, to install the undetectable FudModule rootkit, targeting sensitive sectors while Microsoft delayed patching for six months.
New 0-Day Attacks Linked to China's 'Volt Typhoon'
Malicious hackers linked to China's Volt Typhoon group are exploiting a zero-day vulnerability in Versa Director, urging customers to update systems to prevent potential disruptions to critical U.S. infrastructure.
5 commentsRelated
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Mac and Windows users infected by software updates delivered over hacked ISP
Hackers compromised an ISP to deliver malware to Windows and Mac users via software updates, affecting multiple applications. Users are advised to avoid insecure updates and use secure DNS protocols.
SolarWind Web Help Desk Java Deserialization Remote Code Execution Vulnerability
CVE-2024-28986 is a critical vulnerability in SolarWinds Web Help Desk, allowing remote code execution. Users are advised to apply patches, as CISA has included it in its Known Exploited Vulnerabilities Catalog.
Windows 0-day was exploited by North Korea to install advanced rootkit
North Korean hackers exploited a Windows zero-day vulnerability, CVE-2024-38193, to install the undetectable FudModule rootkit, targeting sensitive sectors while Microsoft delayed patching for six months.
New 0-Day Attacks Linked to China's 'Volt Typhoon'
Malicious hackers linked to China's Volt Typhoon group are exploiting a zero-day vulnerability in Versa Director, urging customers to update systems to prevent potential disruptions to critical U.S. infrastructure.