Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.
Microsoft has uncovered a malicious activity conducted by Volt Typhoon, a state-sponsored actor based in China, which is targeting critical infrastructure organizations in the United States. The attack is focused on post-compromise credential access and network system discovery, and Microsoft assesses with moderate confidence that this campaign is intended to disrupt critical communications infrastructure between the United States and Asia region during future crises. Volt Typhoon has been active since mid-2021 and has targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. Once they gain access, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data. They also attempt to dump credentials through the Local Security Authority Subsystem Service (LSASS) and use the command-line tool Ntdsutil.exe to create installation media from domain controllers. In addition, they dump information from local web browser applications and stage collected data in password-protected archives.
To establish a command and control (C2) channel, Volt Typhoon proxies all its network traffic to its targets through compromised small office and home office (SOHO) network edge devices, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a C2 channel over proxy.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect attempted post-compromise activity. Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in this article.
Microsoft Sentinel customers are provided with suggested queries to assist in identifying Volt Typhoon activity in their environment. These queries include LSASS process memory dumping, potential Impacket execution, domain controller installation media creation commands, and commands that set up internal proxies. Microsoft customers can use the TI Mapping analytics to automatically match the malicious hash indicators related to the custom FRP binaries. Indicators of compromise (IOCs) are also provided, including a list of SHA-256 hashes of the custom FRP executables.
The article encourages customers to investigate these IOCs in their environment and implement detections and protection
📓 Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
👉🏽 Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. measures. The main purposes of this text are to:
👉🏽 inform readers of a malicious activity by a state-sponsored actor, Volt Typhoon 👉🏽 reveal the actor's target industries and methods of attack 👉🏽 alert readers to the intended disruption of critical communications infrastructure 👉🏽 emphasize the importance of securing environments against post-compromise attacks 👉🏽 provide tools and guidance for identifying and mitigating the attack 👉🏽 encourage investigation and implementation of detection and protection measures 👉🏽 share information on how Volt Typhoon gains initial access to targeted organizations 👉🏽 highlight the use of living-off-the-land commands for network system discovery 👉🏽 discuss the establishment of a command and control channel 👉🏽 suggest the use of Microsoft Defender Antivirus and Microsoft Defender for Endpoint for detection.
#Microsoft #cybersecurity #VoltTyphoon #China #criticalinfrastructure