Chinese government hackers targeted US internet providers with zero-day exploit, researchers say

Date:

Share post:


A group of hackers linked to the Chinese government used a previously unknown vulnerability in software to target U.S. internet service providers, security researchers have found. 

The group known as Volt Typhoon was exploiting the zero-day flaw — meaning the software maker was unaware of it before having time to patch — in Versa Director, a piece of software made by Versa Networks, according to researchers at Black Lotus Labs, which is part of cybersecurity firm Lumen.

Versa sells software to manage network configurations, and is used by internet service providers (ISPs) and managed service providers (MSPs), which makes Versa “a critical and attractive target” for hackers, the researchers wrote in a report published on Tuesday. 

This is the latest discovery of hacking activities carried out by Volt Typhoon, a group that is believed to be working for the Chinese government. The group focuses on targeting critical infrastructure, including communication and telecom networks, with the goal of causing “real-world harm” in the event of a future conflict with the United States. U.S. government officials testified earlier this year that the hackers aim to disrupt any U.S. military response in a future anticipated invasion of Taiwan.

The hackers’ goals, according to Black Lotus Labs’ researchers, were to steal and use credentials on downstream customers of the compromised corporate victims. In other words, the hackers were targeting Versa servers as crossroads where they could then pivot into other networks connected to the vulnerable Versa servers, Mike Horka, the security researcher who investigated this incident, told TechCrunch in a call. 

Contact Us

Do you have more information about Volt Typhoon, or other government-sponsored hacking activities? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

“This wasn’t limited to just telecoms, but managed service providers and internet service providers,” said Horka. “These central locations that they can go after, which then provide additional access.” Horka said these internet and networking companies are targets themselves, “very likely because of the access that they could potentially provide to additional downstream customers.”

Horka said he found four victims in the United States, two ISPs, one MSP and an IT provider; and one victim outside of the U.S., an ISP in India. Black Lotus Labs did not name the victims. 

Versa’s Chief Marketing Officer Dan Maier told TechCrunch in an email that the company has patched the zero-day identified by Black Lotus Labs.

“Versa confirmed the vulnerability and issued an emergency patch at that time. We have since issued a comprehensive patch and distributed this to all customers,” said Maier, adding that researchers warned the company of the flaw in late June.  

Maier told TechCrunch that Versa itself was able to confirm the flaw and observe the “APT attacker” taking advantage of it. 

Black Lotus Labs said it alerted the U.S. cybersecurity agency CISA of the zero-day vulnerability and the hacking campaign. On Friday, CISA added the zero-day to its list of vulnerabilities that are known to have been exploited. The agency warned that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

TechCrunch Space: Nothing to see here!

Hello, and welcome back to TechCrunch Space. There was absolutely no news last week because nothing happened. Just...

Generative disinfo is real — you’re just not the target, warns deepfake tracking nonprofit

Many feared that the 2024 election would be affected, and perhaps decided, by AI-generated disinformation. While there...

The Rivian-Volkswagen joint venture deal is now up to $5.8B

Rivian and Volkswagen Group have finalized a multi-billion-dollar joint venture to develop software, paving the way to...

Anysphere acquires Supermaven to beef up Cursor

Anysphere, the company behind Cursor, has acquired AI coding assistant Supermaven for an undisclosed sum. Anysphere CEO Michael Truell...

Bluesky is seeing an exodus of unhappy X users following the election

X, formerly Twitter, is no longer the “digital town square” it once promised to be. Following the...

Firefly Aerospace readies for a big year in orbit with $175M D round

Firefly Aerospace has raised a massive late-stage funding round ahead as it prepares for the launch of...

Zoox rolls outs custom robotaxi in San Francisco, Las Vegas

Zoox is testing its custom robotaxis, which are built without a steering wheel or pedals, on public...

Now anyone in LA can hail a Waymo robotaxi

Waymo has opened its robotaxi service to everyone in Los Angeles, sunsetting a waitlist that had grown...