Categories
Cybersecurity Advisories

Volt Typhoon Detection and Mitigation

Alert Code: AA23-144A

The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.

Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.

Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.

Volt Typhoon attack flow

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Victimology

Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Recommended Mitigations

  • Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
  • Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  • In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Forward log files to a hardened centralized logging server, preferably on a segmented network.

MITRE Summary

Initial Access

  

Technique Title

ID

Use

Exploit Public-facing Application

T1190

Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.

Execution

  

Windows Management Instrumentation

T1047

The actor executed WMIC commands to create a copy of the SYSTEM registry.

Command and Scripting Interpreter: PowerShell

T1059.001

The actor used a PowerShell command to identify successful logons to the host.

Command and Scripting Interpreter: Windows Command Shell

T1059.003

The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.

Persistence

  

Server Software Component: Web Shell

T1505.003

The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.

Defense Evasion

  

Hide Artifacts

T1546

The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.

Indicator Removal: Clear Windows Event Logs

T1070.001

The actor cleared system event logs to hide activity of an intrusion.

Credential Access

  

OS Credential Dumping: NTDS

T1003.003

The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.

Brute Force

T1110

The actor attempted to gain access to accounts with multiple password attempts.

Brute Force: Password Spraying

T1110.003

The actor used commonly used passwords against accounts to attempt to acquire valid credentials.

OS Credential Dumping

T1003

The actor used additional commands to obtain credentials in the environment.

Credentials from Password Stores

T1555

The actors searched for common password storage locations.

Discovery

  

System Information Discovery

T1082

The actors executed commands to gather information about local drives.

System Owner/User Discovery

T1033

The actors gathered information about successful logons to the host using a PowerShell command.

Permission Groups Discovery: Local Groups

T1069.001

The actors attempt to find local system groups and permission settings.

Permission Groups Discovery: Doman Groups

T1069.002

The actors used commands to enumerate the active directory structure.

System Network Configuration Discovery

T1016

The actors used commands to enumerate the network topology.

Command and Control

  

Proxy

T1090

The actors used commands to enable port forwarding on the host.

Proxy: External Proxy

T1090.002

The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.

IOCS

f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca

472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d

66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597

c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99

3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f

fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15

ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c

b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74

4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349

c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d

d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af

9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a

450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267

93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066

7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5

389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61

c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b

e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95

6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff

cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984

17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4

8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2

d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295

3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

Resources & Related Articles

Categories
Cybersecurity Advisories

KeePass Flaw Lets Attackers Recover Master Passwords from Memory

An issue was discovered impacting the popular KeePass password manager which affects KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54. Tracked as CVE-2023-32784, the vulnerability allows recovery of the cleartext master password from a memory dump, even when the database is locked or the program is closed. 

It is important to note that successful exploitation of the flaw requires an attacker to have already compromised a potential target’s computer. Additionally, it also requires that the password is typed on a keyboard, and not copied from the device’s clipboard.   

The developer of KeePass promises to push a fix for CVE-2023-32784 on version 2.54, expected to be released in June or July 2023.   

Proof of Concept  

Affected Versions  

All existing versions of KeePass 2.x (e.g., 2.53.1) are affected. Meanwhile, KeePass 1.x (an older edition of the program that’s still being maintained), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected.   

Recommendations

  • Users are advised to update to KeePass 2.54 once it becomes available. 
  • Restarting the computer, clearing your swap file and hibernation files, and not using KeePass until the new version is released are reasonable safety measures for the time being. 
  • For the best protection, be vigilant about not downloading programs from untrusted sites and beware of phishing attacks that may infect your devices, giving threat actors remote access to your device and your KeePass database.  

Technical Details 
The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.  

The master password encrypts the KeePass password database and prevents it from being opened without first entering the password. If that master password becomes compromised, a threat actor can access every credential stored in the database. A proof-of-concept tool was made available that could be exploited to recover a victim’s master password in cleartext under specific circumstances. BleepingComputer tested this tool by installing KeePass on a test device and created a new database with “password123” being the master password.   

After locking the workspace, Process Explorer was used in tests to dump the memory of the KeePass project but required a full memory dump to work correctly. No elevated privileges were needed to dump the process’ memory. The PoC tool was later compiled and executed against their memory dump and recovered most of the cleartext password, with only a few letters missing. Master passwords used in the past can remain in memory, so they can still be retrieved even if KeePass is no longer running on the breached computer.  

Resources & Related Articles