China's 'Volt Typhoon' hackers target Indian, US firms

A Chinese hacking group known as ‘Volt Typhoon’ has reportedly been accused of exploiting a zero-day vulnerability in network management platform Versa Director to breach internet service providers and technology companies, including those in the US and India. 

A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. Researchers believe this could be another eye-opener for chief information security officers (CISOs) to stay updated on security patches and monitor for vulnerabilities.

According to security researchers at Lumen Technologies’ Black Lotus Labs, Volt Typhoon is using a security flaw in software from a California-based startup called Versa Networks to attack these internet firms. It has breached four American companies, including internet service providers, and one Indian company by exploiting this vulnerability.

The news surfaced only days after details emerged about a China-nexus threat group exploiting a security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection. The activity, attributed to Velvet Ant, was observed early this year and involved the weaponization of CVE-2024-20399 (CVSS score: 6.0) to deliver bespoke malware and gain extensive control over the compromised system, facilitating both data exfiltration and persistent access.

The flaw was found in Versa Networks’ software, which helps manage network configurations. Although Versa identified the bug and released a fix in June 2023, it seems that not all companies applied the patch in time, leaving them vulnerable to attack. The researchers said the hacking campaign is believed to be ongoing.

Volt Typhoon is suspected of being a state-sponsored Chinese hacking group. The US government has previously accused the group of infiltrating critical infrastructure in the US, like water facilities and the power grid, to cause disruptions during a future crisis, possibly linked to Taiwan.

The Chinese government has however denied these accusations, claiming that the Volt Typhoon is a criminal group called “Dark Power” and not linked to the state. They also suggested that US intelligence agencies are falsely blaming China for cyber-attacks to justify increased budgets and government contracts.

Versa issued an emergency fix for the bug at the end of June, but only widely informed customers in July after one customer reported a breach. The company stated that this customer did not follow earlier guidelines to protect their systems, such as closing off internet access to a specific port. Versa has now updated its systems to be secure by default, meaning that even if customers don’t follow guidelines, they should still be protected.

The vulnerability is rated as “high” severity by the National Vulnerability Database. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to fix the vulnerability or stop using Versa products by September 13, 2023. The hacking group has used the flaw at least once to breach a system, according to Versa, although they did not name the group.

This year, other notable zero-day exploits were reported, including two significant vulnerabilities addressed by Microsoft in its May Patch Tuesday, specifically CVE-2024-30040. Additionally, Google recently released an emergency update for Chrome to fix a zero-day vulnerability that was actively being exploited in attacks.

India has emerged as a prime target for hackers with average weekly attacks of 2,924 on organisations, which is double the number (2,924) of attacks globally, in the last six months, according to a report by cybersecurity vendor Check Point Software Technologies, published earlier in August.

The healthcare sector topped the list of victims with a weekly average of 6,935 attacks against 1,821 attacks on the organisations in this sector globally. After healthcare, the most attacked industries in the country include education/research (6,244 attacks), consulting (3,989 attacks), and government/military (3,618 attacks).

Sundar Balasubramanian, Managing Director for India and SAARC at Check Point Software Technologies, believes that preventive measures, such as regular software updates, employee training, and the deployment of advanced security solutions, are essential to mitigate the growing threat landscape.