Amidst Volt Typhoon zero-day exploitation, Censys finds hundreds of exposed servers presenting ripe attack surface for attackers.
As organizations scramble to respond to zero-day exploitation of Versa Director servers by Chinese APT Volt Typhoon, new data from Censys shows more than 160 exposed devices online still presenting a ripe attack surface for attackers.
Censys shared live search queries Wednesday showing hundreds of exposed Versa Director servers pinging from the US, Philippines, Shanghai and India and urged organizations to isolate these devices from the internet immediately.
It is not quite clear how many of those exposed devices are unpatched or failed to implement system hardening guidelines (Versa says firewall misconfigurations are to blame) but because these servers are typically used by ISPs and MSPs, the scale of the exposure is considered enormous.
Even more worrisome, more than 24 hours after disclosure of the zero-day, anti-malware products are very slow to provide detections for VersaTest.png, the custom VersaMem web shell being used in the Volt Typhoon attacks.
Although the vulnerability is considered difficult to exploit, Versa Networks said it slapped a ‘high-severity’ rating on the bug that affects all Versa SD-WAN customers using Versa Director that have not implemented system hardening and firewall guidelines.
The zero-day was caught by malware hunters at Black Lotus Labs, the research arm of Lumen Technologies. The flaw, tracked as CVE-2024-39717, was added to the CISA known exploited vulnerabilities catalog over the weekend.
Versa Director servers are used to manage network configurations for clients running SD-WAN software and heavily used by ISPs and MSPs, making them a critical and attractive target for threat actors seeking to extend their reach within enterprise network management.
Versa Networks has released patches (available only on password-protected support portal) for versions 21.2.3, 22.1.2, and 22.1.3.
Black Lotus Labs has published details of the observed intrusions and IOCs and YARA rules for threat hunting.
Volt Typhoon, active since mid-2021, has compromised a wide variety of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.
The US government believes the Chinese government-backed threat actor is pre-positioning for malicious attacks against critical infrastructure targets.