The Chinese state-sponsored hacking campaign known as Volt Typhoon is exploiting a bug in a California-based startup to hack into U.S. and Indian internet companies, according to security researchers.
Volt Typhoon has attacked four U.S. companies, including internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Black Lotus Labs, a unit of Lumen Technologies Inc. Its assessment, much of which was published in a blog post Tuesday, concluded with “moderate confidence” that Volt Typhoon was behind the breaches of unpatched Versa systems and said exploitation was likely ongoing.
Versa, which makes software that manages network configurations and has attracted investments from Blackrock Inc. and Sequoia Capital, announced the bug last week and offered a patch and other mitigations.
The disclosure will heighten concerns about the susceptibility of US critical infrastructure to cyberattacks. This year, the US accused the Volt Typhoon of infiltrating networks that operate critical services for the US, including some of the country’s water facilities, power grid and communications sectors, in order to cause disruptions during a future crisis, such as an invasion of Taiwan.
Lumen shared its findings with Versa in late June, according to Lumen and supporting documentation shared with Bloomberg.
Versa, which is based in Santa Clara, California, said it had issued an emergency patch to fix the problem in late June but only began reporting the issue to its customers in July, when one of them notified it that it had suffered a breach. Versa said that customer, which it did not identify, did not follow previously published guidelines on how to protect its systems through firewall rules and other measures.
Dan Maier, Versa’s chief marketing officer, said in an email Monday that those 2015 guidelines include advising customers to shut down internet access to a specific port — something the customer had not followed. Since last year, he said, Versa has taken steps of its own to make the system “secure by default,” meaning customers will no longer be exposed to that risk even if they haven’t followed the company’s guidelines.
According to the National Vulnerability Database, the bug has a “high” severity rating. On Friday, the Cybersecurity and Infrastructure Security Agency, known as CISA, ordered federal agencies to patch Versa products or stop using them by Sept. 13.
The vulnerability has been exploited in at least one known case by a sophisticated hacking group, Versa said in a blog post Monday. The company did not identify the group, and on Friday, Versa told Bloomberg it did not know the identity.
Microsoft Corp. named and unveiled the campaign Volt Typhoon in May 2023. Since its discovery, U.S. officials have urged companies and utilities to improve their record-keeping to help hunt down and root out hackers, who use vulnerabilities to break into systems and can then remain undetected for long periods of time.
The Chinese government has dismissed the US accusations, saying hacking attacks attributed to the Volt Typhoon are the work of cybercriminals.
In January, CISA Director Jen Easterly briefed Congress on malicious cyber activity, warning that the U.S. has only discovered the tip of the iceberg when it comes to victims and that China’s goal is to plunge the U.S. into “societal panic.”
U.S. agencies including CISA, the National Security Agency and the FBI said in February that Typhoon Volt’s activity dates back at least five years and has targeted communications, power, transportation, water and wastewater systems.
Lumen first identified the malicious code in June, according to Lumen researcher Michael Horka. A malware sample uploaded from Singapore on June 7 had the characteristics of Volt Typhoon, he said in an interview.
Horka, a former FBI cyber investigator who joined Lumen in 2023 after working on Volt Typhoon cases for the federal government, said the code was a web shell that allowed hackers to gain access to a customer’s network through legitimate credentials and then behave as if they were bona fide users.
First published: August 27, 2024 | 11:21 PM IS
Disclaimer:
The information contained in this post is for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose.
We respect the intellectual property rights of content creators. If you are the owner of any material featured on our website and have concerns about its use, please contact us. We are committed to addressing any copyright issues promptly and will remove any material within 2 days of receiving a request from the rightful owner.