You are currently viewing Versa Director Zero-Day Under Siege: Volt Typhoon and Bronze Silhouette Campaign

Versa Director Zero-Day Under Siege: Volt Typhoon and Bronze Silhouette Campaign

  • Post author:
  • Reading time:4 mins read

Cybercriminal groups and nation aligned advanced persistent threats (APTs) are increasingly converging on stealth first, persistence focused, and monetization driven operations. Recent reporting shows both financially motivated actors and suspected state aligned groups actively exploiting a critical Versa Director zero day to achieve initial access, persistence, and follow on operations ranging from proxy/bandwidth monetization to espionage.

Executive summary

A zero-day vulnerability, tracked as CVE-2024-39717, has been actively exploited in Versa Director servers, which are used to manage software-defined wide area network (SD-WAN) deployments. The flaw affects all versions prior to 22.1.4 and poses a significant risk, as Director servers are widely deployed by internet service providers (ISPs) and managed service providers (MSPs) to orchestrate enterprise network configurations.

Exploitation of this vulnerability has led to the deployment of a custom web shell, named VersaMem, designed to harvest credentials and facilitate further in-memory code execution. Victims have been observed in the ISP, MSP, and IT sectors, with exploitation dating back to June 2024. Attackers are gaining initial access through exposed management ports used for high-availability (HA) pairing, then leveraging the flaw to implant VersaMem.

The campaign has been attributed with moderate confidence to Chinese state-sponsored groups Volt Typhoon and Bronze Silhouette, with ongoing targeting of unpatched Versa Director instances. Organizations are strongly advised to upgrade to version 22.1.4 or later, review Versa Networks’ security advisories, and apply recommended mitigations to prevent compromise of critical network management infrastructure.

Background on observed threat activity

Volt Typhoon

  • Volt Typhoon is an opportunistic intrusion group that scans internet facing Versa Director instances and other network management consoles, exploiting vulnerabilities to deploy lightweight proxy and bandwidth-sharing toolsets. Operators favor low-CPU, stealthy payloads and encrypted C2 channels with small-footprint loaders that persist as relay/proxy infrastructure; their primary goals are monetization (reselling transit/proxy services), establishing long-term relay nodes, and creating stepping stones for further intrusions.

Bronze Silhouette

  • Bronze Silhouette is a targeted, intrusion focused actor that compromises high value enterprises and communications providers to steal credentials, collect sensitive data, and maintain long term access for potential espionage. Post exploitation behavior typically includes reconnaissance, deployment of Cobalt Strike beacons, DLL side loading for stealthy backdoor execution, and custom persistence mechanisms (services, scheduled tasks, or DLL hijacks).

Vulnerability overview

  • CVE-ID: CVE-2024-39717
  • CVSS Score: 7.2 (High)
  • EPSS Score: 88.41%
  • Vulnerability: Privilege Escalation
  • Affected Product: Versa Director versions prior to 22.1.4

Infection Method

Initial Access

  • Threat actors gained initial access through exposed Versa Director management ports left open on the internet due to lack of system hardening and firewall rules.
  • Users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges could upload potentially malicious files.

Exploitation

  • Attackers exploited CVE-2024-39717, which allows uploading of malicious files by privileged users, leading to compromise.
  • The vulnerability is rated “High” but is difficult to exploit.

Payload Delivery

  • Malicious files are uploaded by attackers leveraging privileged access.
  • These files could be used to deploy further payloads or tools.

Execution & Persistence

  • After upload, malicious files execute on the system to maintain access and control.
  • Persistence relies on the attacker’s ability to use the uploaded files and privileges.

Impact

  • Management plane compromise: Full access to a Versa Director instance can enable abuse of downstream managed devices, configuration tampering, and covert traffic relaying.
  • Monetization: Criminal groups can monetize compromised infrastructure via bandwidth sharing, proxy rentals, or cryptomining while keeping resource usage low to remain undetected.
  • Espionage & data theft: APT actors can collect sensitive configuration and telemetry, pivot into tenant environments, and exfiltrate data.

Mitigations steps

  • Upgrade Versa Director to version 22.1.4 or later.
  • Apply Versa patches and follow security advisories from July and August 2024.
  • Harden systems: Disable unnecessary GUI features, enforce MFA, and segment networks.
  • Monitor traffic: Use advanced network analysis tools to detect unusual behavior.
  • Audit credentials: Regularly rotate and monitor privileged accounts.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.