high_confidence

Versa Director Zero Day Exploitation

[Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) was conducted by [Volt Typhoon](https://attack.mitre.org/groups/G1017) from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) was followed by the delivery of the [VersaMem](https://attack.mitre.org/software/S1154) web shell for both credential theft and follow-on code execution.(Citation: Lumen Versa 2024)

Start date

1 June 2024

End date

1 August 2024

Techniques

Attributed actors

Volt Typhoon· primary

Techniques (8)

collection1

T1056Input Capture

command-and-control3

T1573.002Asymmetric Cryptography

T1095Non-Application Layer Protocol

T1071.001Web Protocols

credential-access1

T1056Input Capture

initial-access1

T1190Exploit Public-Facing Application

persistence1

T1505.003Web Shell

resource-development2

T1587.001Malware

T1584.008Network Devices

Indicators of compromise

No IOCs linked to this campaign yet.