Alert Code: AA23-144A
The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.
Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.
To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.
Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.
Volt Typhoon attack flow
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
MDR Services
- We utilize several threat feeds that are updated frequently on a daily basis
- In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.
EDR Services
- Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
- In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.
Indicators are provided in the Indicators of Compromise section below for your reference.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Victimology
Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
Recommended Mitigations
- Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
- Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
- Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
- In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
- Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
- Forward log files to a hardened centralized logging server, preferably on a segmented network.
MITRE Summary
Initial Access | ||
Technique Title | ID | Use |
Exploit Public-facing Application | Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy. | |
Execution | ||
Windows Management Instrumentation | The actor executed WMIC commands to create a copy of the SYSTEM registry. | |
Command and Scripting Interpreter: PowerShell | The actor used a PowerShell command to identify successful logons to the host. | |
Command and Scripting Interpreter: Windows Command Shell | The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host. | |
Persistence | ||
Server Software Component: Web Shell | The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell. | |
Defense Evasion | ||
Hide Artifacts | The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity. | |
Indicator Removal: Clear Windows Event Logs | The actor cleared system event logs to hide activity of an intrusion. | |
Credential Access | ||
OS Credential Dumping: NTDS | The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking. | |
Brute Force | The actor attempted to gain access to accounts with multiple password attempts. | |
Brute Force: Password Spraying | The actor used commonly used passwords against accounts to attempt to acquire valid credentials. | |
OS Credential Dumping | The actor used additional commands to obtain credentials in the environment. | |
Credentials from Password Stores | The actors searched for common password storage locations. | |
Discovery | ||
System Information Discovery | The actors executed commands to gather information about local drives. | |
System Owner/User Discovery | The actors gathered information about successful logons to the host using a PowerShell command. | |
Permission Groups Discovery: Local Groups | The actors attempt to find local system groups and permission settings. | |
Permission Groups Discovery: Doman Groups | The actors used commands to enumerate the active directory structure. | |
System Network Configuration Discovery | The actors used commands to enumerate the network topology. | |
Command and Control | ||
Proxy | The actors used commands to enable port forwarding on the host. | |
Proxy: External Proxy | The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity. |
IOCS
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484
baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642
Resources & Related Articles