Microsoft says a China-based threat actor has targeted critical infrastructure organizations in Guam and elsewhere in the United States since 2021, probably for espionage.
In research released on Wednesday, the company said That group dubs Volt Typhoon “is developing capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises,” using survival-of-the-land techniques and rely almost exclusively on hands-on-keyboard activity.
Microsoft adds that Volt Typhoon gained initial access to targeted organizations in some way, usually through Internet-facing Fortinet FortiGuard appliances. If it can, the attacker tries to take advantage of any privileges afforded by the Fortinet device, extract the credentials for the Active Directory account used by the device, and then attack other devices on the network with those credentials. tries to authenticate.
The gang routes all of their network traffic to their targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many devices, including those manufactured by ASUS, Cisco Systems, D-Link, Netgear, and Zyxel, expose an HTTP or SSH management interface to the Internet.
Owners of network edge devices should ensure that their management interfaces are not exposed to the public Internet to reduce their attack surface, Microsoft urges. By proxying through these devices, Volt Typhoon increases the stealth of its operations and lowers overhead costs for acquiring infrastructure, it notes.
At the same time as the Microsoft report was released, cybersecurity agencies of the Five Eyes Intelligence Co-operative, including Canada and the US, Issued advisory Including hunting guidance and related best practices for private sector critical infrastructure bodies to detect this activity.
Microsoft said the affected US organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.
The strategy involves issuing commands via the command line to collect data, including credentials from local and network systems, putting the data into an archive file and staging it for exfiltration, and then stealing it to maintain persistence. Please use valid credentials.
“In addition, Volt tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including Typhoon routers, firewalls and VPN hardware. They have also been observed using custom versions of open-source tools to set up a command and control (C2) channel on the proxy to remain further under the radar.
Some of the built-in Windows tools used by this actor are: wmic, ntdsutil, netsh, And powershell, Five Eyes advisory says,
comes the name volt typhoon Microsoft’s new threat actor naming convention, where groups are named after weather events. Typhoon shows a cluster of China.
Microsoft says mitigating risk from rivals such as Volt Typhoon that rely on legitimate accounts and living-of-the-land binaries (LOLBins) is particularly challenging. “Detection of activity using common sign-in channels and system binaries requires behavioral monitoring. Remediation requires shutting down or changing credentials for compromised accounts,” it says .
Among the recommended defenses: Implement strong multi-factor authentication (MFA) policies using hardware security keys or an authenticator app. Microsoft says that passwordless sign-in, password expiration rules, and deactivating unused accounts can also help reduce the risk.
Five Eyes Advisory warns infosec leaders that when a threat actor uses live off-the-land techniques, some command line activity may appear benign. “Defenders should evaluate applying their knowledge of the system and baseline behavior to determine the importance of the match,” the advisory warned. “Additionally, if building detection logic based on these commands, network defenders must account for variability in command string arguments, as items such as the port used may vary across environments.”
