The usage of SOHO devices and how they were used is part of the attribution to Volt Typhoon. However, there was also a mix of known and observed TTPs, such as web shell analysis, network infrastructure, zero-day exploitation, targeted attacks on particular industries or victims, and other verified overlaps of malicious behavior.

A large-scale supply chain attack is the result of the attack chains' exploitation of the flaw to deliver a specially tailored web shell called VersaMem ("VersaTest.png"), which is primarily intended to intercept and harvest credentials that would allow access to downstream customers' networks as an authenticated user. The advanced JAR web shell's modular design, which allows users to load more Java code for in-memory execution, is another impressive feature.

On June 7, 2024, a sample of VersaMem from Singapore was posted to VirusTotal. None of the anti-malware engines have identified the online shell as dangerous as of August 27, 2024. Before deploying the web shell on U.S. targets, it is thought that the threat actors tested it in the wild on victims who weren't Americans. On Versa Director systems that have been compromised, the web shell uses Java instrumentation and Javassist to introduce malicious code into the Tomcat web server process memory area.

After it has been injected, the web shell code hooks Versa's authentication features, giving the attacker the ability to passively intercept credentials in plaintext and possibly exploit those credentials to compromise client infrastructure later on. The threat actor can also run any Java code in memory on the compromised server by using the web shell to hook Tomcat's request filtering feature. This avoids file-based detection techniques and safeguards the threat actor's web shell, its modules, and the zero-day itself.

Applying the required mitigations, preventing external access to ports 4566 and 4570, recursively searching for PNG image files, and scanning for potential network traffic coming from SOHO devices to port 4566 on Versa Director servers are all recommended to counter the threat posed by the attack cluster. Volt Typhoon, also known as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, and Voltzite, is an advanced persistent threat that has been active for at least five years. Its objective is to stealthily access and exfiltrate sensitive data from critical infrastructure facilities in the United States and Guam.

This case demonstrates Volt Typhoon's persistent, indirect, and patient attempts to reach its ultimate victims. To attack a critical information crossroads where they could obtain credentials and access before moving down the chain to their eventual victim, they have here attacked the Versa Director system. The way Volt Typhoon has changed over time demonstrates that even though a company might not think it would attract the notice of a highly skilled nation-state actor, the target of a product may be its intended consumer, which should worry us all.

Impact

• Cyber Espionage
• Privilege Escalation
• Sensitive Data Theft
• Code Execution

Indicators of Compromise

MD5

• 368a4cd9a9b34ada390c192157988921

SHA-256

• 4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37

SHA-1

• e0b5c5cd32f115b1ea4462bbbafc4cccef7d438f

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Refer to Versa Networks Advisory for patch, upgrade, or suggested workaround information.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.