| June 15, 2023
Threat group Volt Typhoon warrants attention
Microsoft recently reported that the company has “uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.” Volt Typhoon is a state-sponsored actor based in the People’s Republic of China who is “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.” As a result, the FBI, NSA, CISA, and cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada have released a joint Cybersecurity Advisory (CSA).
Multiple sources say the initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. “After breaching the targets’ networks, hackers launch what Microsoft describes as “living-off-the-land” attacks with hands-on-keyboard activity and living-off-the-land binaries such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC). Leveraging privileged access allows hackers to dump credentials through the Local Security Authority Subsystem Service (LSASS). Stolen credentials then allow hackers to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.”
Volt Typhoon so far appears to be focused on stealing information from organizations that hold data that relates to the US military or government. Recently, the U.S. Navy Secretary Carlos Del Toro said that the hack by the Chinese government that Microsoft revealed on Wednesday has affected the Navy. Del Toro said the U.S. Navy ‘has been impacted’ by the cyberattacks but he declined to provide further detail.(2)
The impact of Volt Typhoon can be significant due to their ability to exfiltration sensitive data and disrupt critical infrastructure. It is critical that organizations take proactive measures to protect their systems from attack.
Microsoft made several recommendations to reduce risk of being a victim of Volt Typhoon:
- Enforce strong multifactor authentication policies by using hardware security keys, passwordless sign-in, password expiration rules and deactivating unused accounts
- Turn on attack surface reduction rules to block or audit activities associated with this threat in Microsoft Defender for Endpoint
- Enable Protective Process Light for LSASS on Windows 11 devices
- Enable Windows Defender Credential Guard in the Enterprise edition of Windows 11
- Turn on cloud-delivered protection in Microsoft Defender Antivirus
- Run endpoint detection and response in block mode so malicious artifacts can be blocked
Organizations using BigFix should continue reduce susceptibility to attack by:
- Reducing the attack surface by continuously patching and remediating vulnerabilities that are discovered.
- Ensuring compliance checks with automatic remediations are implemented include those that enforce password expirations rules and keep antivirus (AV), endpoint protection (EPP), and endpoint detection and response (EDR) agents running.
- Using the CyberFOCUS MITRE APT Simulator to identify, prioritize and mitigate Advanced Persistent Threats present in your environment.
- Deploying software updates as quickly as possible.
For more information about BigFix, visit www.BigFix.com or request to speak with one of our Technical Advisors.
Comment wrap
