Cybersecurity Advisories

Volt Typhoon Detection and Mitigation

Alert Code: AA23-144A

The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.

Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.

Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.

Volt Typhoon attack flow

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 


Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Recommended Mitigations

  • Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
  • Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  • In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Forward log files to a hardened centralized logging server, preferably on a segmented network.

MITRE Summary

Initial Access


Technique Title



Exploit Public-facing Application


Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.



Windows Management Instrumentation


The actor executed WMIC commands to create a copy of the SYSTEM registry.

Command and Scripting Interpreter: PowerShell


The actor used a PowerShell command to identify successful logons to the host.

Command and Scripting Interpreter: Windows Command Shell


The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.



Server Software Component: Web Shell


The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.

Defense Evasion


Hide Artifacts


The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.

Indicator Removal: Clear Windows Event Logs


The actor cleared system event logs to hide activity of an intrusion.

Credential Access


OS Credential Dumping: NTDS


The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.

Brute Force


The actor attempted to gain access to accounts with multiple password attempts.

Brute Force: Password Spraying


The actor used commonly used passwords against accounts to attempt to acquire valid credentials.

OS Credential Dumping


The actor used additional commands to obtain credentials in the environment.

Credentials from Password Stores


The actors searched for common password storage locations.



System Information Discovery


The actors executed commands to gather information about local drives.

System Owner/User Discovery


The actors gathered information about successful logons to the host using a PowerShell command.

Permission Groups Discovery: Local Groups


The actors attempt to find local system groups and permission settings.

Permission Groups Discovery: Doman Groups


The actors used commands to enumerate the active directory structure.

System Network Configuration Discovery


The actors used commands to enumerate the network topology.

Command and Control




The actors used commands to enable port forwarding on the host.

Proxy: External Proxy


The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.































Resources & Related Articles

Cybersecurity Advisories

KeePass Flaw Lets Attackers Recover Master Passwords from Memory

An issue was discovered impacting the popular KeePass password manager which affects KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54. Tracked as CVE-2023-32784, the vulnerability allows recovery of the cleartext master password from a memory dump, even when the database is locked or the program is closed. 

It is important to note that successful exploitation of the flaw requires an attacker to have already compromised a potential target’s computer. Additionally, it also requires that the password is typed on a keyboard, and not copied from the device’s clipboard.   

The developer of KeePass promises to push a fix for CVE-2023-32784 on version 2.54, expected to be released in June or July 2023.   

Proof of Concept  

Affected Versions  

All existing versions of KeePass 2.x (e.g., 2.53.1) are affected. Meanwhile, KeePass 1.x (an older edition of the program that’s still being maintained), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected.   


  • Users are advised to update to KeePass 2.54 once it becomes available. 
  • Restarting the computer, clearing your swap file and hibernation files, and not using KeePass until the new version is released are reasonable safety measures for the time being. 
  • For the best protection, be vigilant about not downloading programs from untrusted sites and beware of phishing attacks that may infect your devices, giving threat actors remote access to your device and your KeePass database.  

Technical Details 
The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.  

The master password encrypts the KeePass password database and prevents it from being opened without first entering the password. If that master password becomes compromised, a threat actor can access every credential stored in the database. A proof-of-concept tool was made available that could be exploited to recover a victim’s master password in cleartext under specific circumstances. BleepingComputer tested this tool by installing KeePass on a test device and created a new database with “password123” being the master password.   

After locking the workspace, Process Explorer was used in tests to dump the memory of the KeePass project but required a full memory dump to work correctly. No elevated privileges were needed to dump the process’ memory. The PoC tool was later compiled and executed against their memory dump and recovered most of the cleartext password, with only a few letters missing. Master passwords used in the past can remain in memory, so they can still be retrieved even if KeePass is no longer running on the breached computer.  

Resources & Related Articles