A group of hackers known as Volt Typhoon, linked to the Chinese government, has exploited a zero-day vulnerability in Versa Director, tracked as CVE-2024-39717, to target U.S. internet service providers.

The exploitation process involved creating an admin account, uploading a custom web shell named VersaMem, and harvesting credentials from legitimate users.

Initial access to the compromised systems was likely gained through an exposed management port, port 4566, due to inadequate system hardening and firewall practices.

Lumen identified at least five organizations, primarily in the U.S., that were hacked during the summer, raising alarms over foreign cyber threats.

U.S. government agencies have accused Volt Typhoon of infiltrating networks that support essential services, including water, power, and communications.

Concerns are mounting regarding the vulnerability of U.S. critical infrastructure, which has been targeted by Volt Typhoon in past cyberattacks.

The attacks reportedly began as early as June 12, 2024, and have been characterized by sophisticated techniques to evade detection.

The modular web shell can load additional Java malware routines that operate in memory, making detection more difficult for security systems.

CISA has warned that such vulnerabilities are common attack vectors for malicious cyber actors and pose significant risks to federal enterprises.

Experts emphasize the importance of secure-by-design practices in software development to minimize risks for end users.

The Volt Typhoon campaign was publicly identified by Microsoft in May 2023, prompting U.S. officials to urge improved cybersecurity measures.

The Chinese Embassy in Washington did not respond to requests for comment, although China typically denies allegations of cyberespionage.