Alert Code: AA23-144A
The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.
Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.
To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.
Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.
Volt Typhoon attack flow
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
- We utilize several threat feeds that are updated frequently on a daily basis
- In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.
- Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
- In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.
Indicators are provided in the Indicators of Compromise section below for your reference.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
- Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
- Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
- Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
- In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
- Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
- Forward log files to a hardened centralized logging server, preferably on a segmented network.
Exploit Public-facing Application
Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.
Windows Management Instrumentation
The actor executed WMIC commands to create a copy of the SYSTEM registry.
Command and Scripting Interpreter: PowerShell
The actor used a PowerShell command to identify successful logons to the host.
Command and Scripting Interpreter: Windows Command Shell
The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.
Server Software Component: Web Shell
The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.
The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.
Indicator Removal: Clear Windows Event Logs
The actor cleared system event logs to hide activity of an intrusion.
OS Credential Dumping: NTDS
The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.
The actor attempted to gain access to accounts with multiple password attempts.
Brute Force: Password Spraying
The actor used commonly used passwords against accounts to attempt to acquire valid credentials.
OS Credential Dumping
The actor used additional commands to obtain credentials in the environment.
Credentials from Password Stores
The actors searched for common password storage locations.
System Information Discovery
The actors executed commands to gather information about local drives.
System Owner/User Discovery
The actors gathered information about successful logons to the host using a PowerShell command.
Permission Groups Discovery: Local Groups
The actors attempt to find local system groups and permission settings.
Permission Groups Discovery: Doman Groups
The actors used commands to enumerate the active directory structure.
System Network Configuration Discovery
The actors used commands to enumerate the network topology.
Command and Control
The actors used commands to enable port forwarding on the host.
Proxy: External Proxy
The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.
Resources & Related Articles