C0039 Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.1
| Item | Value |
|---|---|
| ID | C0039 |
| Associated Names | |
| First Seen | June 2024 |
| Last Seen | August 2024 |
| Version | 1.0 |
| Created | 27 August 2024 |
| Last Modified | 28 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G1017 | Volt Typhoon | Versa Director Zero Day Exploitation was conducted by Volt Typhoon between June and August 2024.1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.1 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.008 | Network Devices | Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.1 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.1 |
| enterprise | T1190 | Exploit Public-Facing Application | Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.1 |
| enterprise | T1056 | Input Capture | Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.1 |
Software
| ID | Name | Description |
|---|---|---|
| S1154 | VersaMem | VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon.1 |