[HN Gopher] New 0-Day Attacks Linked to China's 'Volt Typhoon'
___________________________________________________________________
New 0-Day Attacks Linked to China's 'Volt Typhoon'
Author : todsacerdoti
Score : 171 points
Date : 2024-08-27 14:31 UTC (8 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| skybrian wrote:
| What does Versa Director do? Is it widely used?
| diggan wrote:
| Second paragraph:
|
| > Versa Director systems are primarily used by Internet service
| providers (ISPs), as well as managed service providers (MSPs)
| that cater to the IT needs of many small to mid-sized
| businesses simultaneously.
|
| From their own website:
|
| > Versa Director is Versa Networks' virtualization and service
| creation platform that simplifies the creation, automation and
| delivery of services using Versa WAN edge software, FlexVNF.
|
| https://versa-networks.com/documents/datasheets/versa-direct...
| skybrian wrote:
| Yes, but that doesn't really do it for me, so I was wondering
| if someone who has used them could explain it better.
| Liquix wrote:
| enterprise-scale remote device management. e.g. a platform
| used to roll out firmware updates to millions of routers
| another2another wrote:
| Kinda like Crowdstrike ?
|
| (a low blow I know)
| FuriouslyAdrift wrote:
| It's a SD-WAN. Bundles up a bunch of network tools into a
| proprietary managed product to splice together multile WAN
| links, load balance them, minimise spend, and maximize
| uptime while keeping latency down and throughput up.
| josecapurro wrote:
| Versa Director is the management solution for their SD-WAN, SD-
| LAN, SASE, ZTNA and whatnot. It manages the Versa CSG routers
| and their respective configuration.
|
| Here in Paraguay we have an ISP using it for their enterprise
| secure SD-WAN offering. I know it is deployed in Colombia also
| by the same ISP. So, it is used, although widely i do not know.
|
| It is similar to FortiManager, Aruba Central, and the like.
| iaaan wrote:
| As a developer on a project like 5 years ago that was intended to
| integrate one of our products with Versa's equipment and
| Director, I'm surprised it took this long. There are probably
| more where that came from.
| imhereforwifi wrote:
| >Versa said the weakness allows attackers to upload a file of
| their choosing to vulnerable systems.
|
| I am curious why doesn't Versa use the exploit themselves to
| patch the issue? it would be a great wake up moment to realize
| that stuff is not secure as it should be with updates.
| ethbr1 wrote:
| Liability and the recent CrowdStrike patch fiasco.
| tormeh wrote:
| Enterprise customers don't like surprises; not even positive
| ones. This is a good way to lose trust.
| 0xdeadbeefbabe wrote:
| They did, but they didn't tell you.
|
| Edit: (Just speculation)
| blahgeek wrote:
| (I'm a Chinese and a software engineer, so it's my obviously-
| biased 2 cents)
|
| Based on my observation of fellow Chinese software engineers'
| average knowledge and skills about cyber security, as well as the
| absolute absent of security considerations of most "SOHO network
| devices" in China, I would rather apply Hanlon's razor and say
| that it's not the Chinese attackers, but it's Chinese botnet.
|
| As you may already know, Chinese users and software engineers
| generally does not care about personal privacy and hence also
| cyber security, so the entire industry is rather undeveloped.
| loufe wrote:
| What on earth would the "average" developer's knowledge and
| skills in cyber security have anything to do with it? I believe
| there are enormous quantities of brilliant and well educated
| people in every major country. China certainly doesn't lack
| them, nor does the US, Russia, India, Germany, Brazil,m etc.
|
| If you read the CVE description linked you'll notice some
| details focused on the actual specific product, I have a hard
| time believing random hackers trying to build a botnet would
| search out critical infrastructure and burn expensive 0-days
| for small amounts of compute.
| blahgeek wrote:
| > What on earth would the "average" developer's knowledge and
| skills in cyber security have anything to do with it?
|
| I may be wrong, but I think the development of an "industry"
| would depend on the foundation of related education and its
| popularity in the population. Like if football is not taught
| in the school and people generally don't play it in a
| country, it's unlikely to have a team to win in olympics even
| if the government wants it.
| AureliusMA wrote:
| The previous commenter is right. This is related to
| espionnage and warfare, which every major power (China
| included) invests in. I believe China values education and
| sovereignty.
| aragonite wrote:
| The link between Volt Typhoon and China is not as firmly
| established as news reports tend to suggest. It's mostly based
| on tactical attributions (as opposed to operational and
| strategic ones). China attributes the indicators to a
| cybercrime group. This blog post has a good summary of the
| state of evidence (such as it is):
|
| https://nattothoughts.substack.com/p/who-is-volt-typhoon-a-s...
| 2OEH8eoCRo0 wrote:
| The article states this
|
| > Black Lotus Labs said it assessed with "medium" confidence
| that Volt Typhoon was responsible for the compromises, noting
| the intrusions bear the hallmarks of the Chinese state-
| sponsored espionage group -- including zero-day attacks
| targeting IT infrastructure providers, and Java-based
| backdoors that run in memory only.
|
| Who is Natto Thoughts and why should I care? Substack
| opinions are cheap.
| aragonite wrote:
| That paragraph you cited simply says that the intrusions
| bear the hallmarks of Volt Typhoon. It has no bearing on
| the separate question who Volt Typhoon is.
|
| Analogy: "was this murder committed by Jack the Ripper?"
| and "who was Jack the Ripper?" are separate questions.
|
| > Who the heck is Natto Thoughts and why should I care?
|
| You can check out their about page:
|
| https://nattothoughts.substack.com/about
| spr-alex wrote:
| Regarding attribution to Volt Typhoon please see CISA's
| previous advisory where they have raised alarms about the
| targeting of critical internet infrastructure by this threat
| actor
|
| https://www.cisa.gov/news-events/cybersecurity-advisories/aa...
| JKCalhoun wrote:
| No one seems to be telling who got pwned. Another article
| suggested one of the ISPs was a "big one".
| 2OEH8eoCRo0 wrote:
| We are so fucked we just don't know it yet.
| ck2 wrote:
| > _during any future armed conflict with China_
|
| well there's a sentence to think about in horror
| Sysreq2 wrote:
| The odds are getting higher by the day. There is a lot
| happening in the world with China's economic blessing. American
| sanctions don't work when China manufactures everything.
| 0xdeadbeefbabe wrote:
| But who will buy their stuff then?
| Lonestar1440 wrote:
| "The advisory placed much of the blame on Versa customers who
| "failed to implement system hardening and firewall
| guidelines...leaving a management port exposed on the internet
| that provided the threat actors with initial access.""
|
| If ISPs are leaving management ports open on the Internet, it's
| going to take more than a vendor patch to protect them from cyber
| warfare.
| halJordan wrote:
| Yeah but come on. Everytime someone says "There needs to be a
| regulation or a certification" forcing cyber hygiene this whole
| site rises up in arms clamoring that checklists mean nothing
| and prevent nothing.
|
| This is what you get when there's no checklist enforced. I
| would like to see all those people pour into the conversation
| jumping up and down with glee that their plan worked.
| Lonestar1440 wrote:
| The objection to Regulations, checklists, etc seems to stem
| from the idea that the Checklist will include 100 useless or
| worse items (405.i.18: Passwords MUST BE rotated by the user
| every 30 days) for every good one like "close the damn
| ports". In theory, such a thing will just slow a solid admin
| down.
|
| I don't think this aligns with the reality of modern IT. Even
| with high competence and good intentions, it's an
| organizational problem and mistakes are easy.
|
| We need better checklists, I guess.
| vlovich123 wrote:
| It's worse & an intractable problem. "Close the damn ports"
| may very well be one of those useless items for 1 team and
| relevant to another. So do you have team specific
| checklists or generic checklists that everyone must follow.
| If you have specific checklists, then you miss things that
| are relevant. And what happens when you make a change to
| how the system works & some item is no longer relevant
| while another becomes relevant? There's no easy answers
| here I think with respect to checklists.
| Lonestar1440 wrote:
| Sure, you can't make a perfect checklist.
|
| But you can, as an organization, choose to follow one and
| be "Secure by default", with exceptions e.g. "Open a port
| other than 443 to the Internet" being understood and risk
| managed.
|
| It will slow down developers, for sure. But everything's
| a tradeoff.
| vlovich123 wrote:
| I'm just saying that the objection of N:1 ratio of bad to
| good items on a checklist remains precisely because of
| the reasons I outlined. I have seen this repeatedly in
| design spec reviews to the point that people start
| skipping the checklist because it's worthless
| boilerplate.
| SoftTalker wrote:
| My thought was something like UL certification on IT
| devices, the way they certify that products are
| electrically safe and won't start fires, they could certify
| at minimum that they don't have any open ports by default,
| are not delivered with default well-known or easily guessed
| passwords, are not running ancient versions of ssh or php
| or other software, are resistant to online attacks at least
| at a "script kiddie" level, etc.
|
| The problem with that, however, is that vulnerabilites are
| constantly discovered, and what is safe today is not safe
| tomorrow. Electrical safety and fire resistance is much
| more permanent: if it's done right, it's likely to be safe
| for a long time.
| Veserv wrote:
| We already have that. The Common Criteria (ISO 15408) has
| existed for literal decades at this point and is required
| for usage in government systems.
|
| Vendors just find it too difficult to certify against
| attacks at the "script kiddie" level, so they lobbied the
| government to lower the standards so even the lowest
| rated systems, ones not even audited for security, are
| allowed for general usage in critical systems.
|
| The large commercial vendors, such as Apple, Microsoft,
| or Amazon, have spent billions of dollars and literal
| decades trying to improve their security and have
| uniformly failed to certify that they can deploy any
| system that can protect against small commercial teams
| unlike actual high security vendors who can produce
| systems secure against even state actors.
| halJordan wrote:
| And yet, in any other context- https://www.google.com/searc
| h?q=site%3Ahttps%3A%2F%2Fnews.yc...
|
| You can find hundreds of upvotes for checklists. The same
| sort of institutionally-decreed checklists. For every admin
| that lets compromised passwords linger there's one that can
| closes his port and vice-versa.
|
| It's a cultural resentment of being forced to do the simple
| things. You dont honestly think a doctor needs to be told
| how to prep for surgery. But the doctor has and follows a
| checklist. You don't honestly think a pilot needs to be
| told how to prep for departure, but the pilot follows a
| checklist
|
| Watching "modern IT" people demand special treatment
| because "modern IT" is just built different than modern
| flying or modern surgery is watching the height of
| arrogance.
| mmsc wrote:
| In many ways, anybody that leaves an management port open to
| the internet is to blame. It's not even security 101, it's
| sysadmin 101.
|
| It's like leaving a BMC open to the internet: these things are
| built with no security in mind, and can be rooted as soon as
| they can be connected to.
| Sysreq2 wrote:
| Relevant: https://samcurry.net/hacking-millions-of-modems
| metadat wrote:
| This is a fun article. It was also discussed at the time:
|
| _Hacking millions of modems and investigating who hacked my
| modem_ - https://news.ycombinator.com/item?id=40570781 - June
| 2024 (13 comments)
| password4321 wrote:
| As per your link the actual discussion is
| https://news.ycombinator.com/item?id=40560010 (277
| comments)
| metadat wrote:
| Thanks for the backfill! That's a much better link.
| idunnoman1222 wrote:
| So... if your ISP automatically updates your modems firmware, you
| may be backdoored
| halJordan wrote:
| Your modems already have a backdoor. Your wifi password is
| stored on their servers and modems already will execute
| arbitrary code through the management interface.
___________________________________________________________________
(page generated 2024-08-27 23:01 UTC)