Threat Reports

Volt Typhoon: Targeted Attacks on U.S. Critical Infrastructure

Written by Marketing | Jun 6, 2023 7:23:49 PM

Executive Summary

Towards the end of May 2023, cybersecurity authorities in the U.S. and internationally raised concerns about a recently identified cluster of activity associated with a state-sponsored threat actor known as Volt Typhoon, originating from the People's Republic of China (PRC). This activity has impacted critical infrastructure networks across the U.S.

Volt Typhoon uses compromised small office and home (SOHO) devices and living off the land techniques, ensuring their activity goes unnoticed. By manually interacting with compromised devices and leveraging built-in network administration tools, the group successfully disguises their activities as normal Windows system and network operations, evading detection. The primary motive behind Volt Typhoon's actions is espionage, making it crucial for organizations to remain vigilant given the current geopolitical climate.

Let's examine the tactics and techniques employed by Volt Typhoon, as well as explore measures organizations can take to protect themselves against this specific threat actor.

 

 

volt typhoon

As previously stated, towards the end of May 2023, a joint cybersecurity advisory was published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other international cybersecurity authorities regarding a cluster of activity associated with the PRC. The activity was attributed to the state-sponsored threat actor Volt Typhoon, who has been active since mid-2021.

Microsoft was one of the first to report on the threat actor, who observed their targeting of critical infrastructure organizations throughout the United States, including Guam - an island that hosts several military bases. The threat actor's targets and compromised entities encompass various critical sectors, such as government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

According to Microsoft, based on observed behavior, it appears that the Volt Typhoon’s intention is to conduct espionage and maintain undetected access for as long as possible. The threat actor also prioritizes stealth, relying heavily on living-off-the-land techniques and hands-on-keyboard activity. Commands are issued via command line to:

  • Gather data, such as credentials from local and network systems.
  • Store the data in an archive file for later exfiltration.
  • Leverage stolen valid credentials to maintain persistent access.

Volt Typhoon also hides their activities by routing traffic through compromised small office and home office (SOHO) network equipment like routers, firewalls, and VPN hardware. They have also been observed utilizing customized versions of open-source tools to establish a command and control (C2) communication channel via proxy, further enhancing their ability to evade endpoint detection and response products that would usually alert detection engineers. The threat actor leverages various built-in tools such as wmic, ntdsutil, netsh, and PowerShell, as well as open-source tools such as Fast Reverse Proxy, the Mimikatz credential0stealing tool, and the Impacket networking framework.

 

 

TACTICS AND TECHNIQUES

Microsoft’s initial report stated that Volt Typhoon gains initial access into targeted organizations by exploiting internet-facing Fortinet FortiGuard devices. The threat actor’s goal is to utilize any privileges available through the compromised Fortinet device. They extract credentials associated with an Active Directory account used by the device before attempting to authenticate themselves on other network devices using those obtained credentials.

Utilizing the acquired privileged access from compromising the Fortinet devices, the state-sponsored threat actors can extract credentials through the Local Security Authority Subsystem Service (LSASS). With the stolen credentials, they deploy Awen-based web shells to facilitate data exfiltration and maintain persistence on the compromised systems. Initial access is also achieved by exploiting public-facing applications such as Earthworm and PortProxy.

To gather information about local drives, Volt Typhoon uses the following command: 

cmd.exe /C "wmic path win32_logicaldisk get

caption,filesystem,freespace,size,volumename"

The command can return results without administrative credentials. It utilizes a command prompt to execute a Windows Management Instrumentation Command Line (WMIC) query, gathering details about the storage devices on the local host. This includes information such as drive letter, file system (e.g., NTFS), free space, drive size in bytes, and an optional volume name.

CISA’s advisory stated that Volt Typhoon may attempt to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) within the network for the purpose of password cracking. The ntds.dit file, located by default at %SystemRoot%\NTDS\ntds.dit, serves as the primary Active Directory (AD) database file. It holds crucial data such as user information, group details, group memberships, and password hashes for all domain users.

If Volt Typhoon manages to exfiltrate the ntds.dit and SYSTEM registry hive, an organization should consider the entire domain compromised. This is because the threat actor will likely be able to crack the password hashes for domain user accounts, create unauthorized accounts, and potentially connect unauthorized systems to the domain.

Volt Typhoon also uses the following tools to obtain information:

  • Secretsdump.py
    • This script is a component of Impacket, which the actor has been known to use.
  • Invoke-NinjaCopy (PowerShell)
  • DSInternals (PowerShell)
  • FgDump
  • Metasploit

To enable port forwarding, Volt Typhoon uses the following commands:

  "cmd.exe /c "netsh interface portproxy add v4tov4

listenaddress=0.0.0.0 listenport=9999

connectaddress=<rfc1918 internal ip address>

connectport=8443 protocol=tcp""

-----------------------------------------------------------------------

"cmd.exe /c netsh interface portproxy add v4tov4

listenport=50100 listenaddress=0.0.0.0 connectport=1433

connectaddress=<rfc1918 internal ip address>"

 

To identify successful logons to the host, Volt Typhoon uses the following PowerShell command: 

Get-EventLog security -instanceid 4624

The command helps determine the user account currently being used to gain access to the network, identify other logged-on users on the host, or identify how their activities are being logged. Unfortunately, Volt Typhoon has other commands to identify additional opportunities for obtaining credentials in an environment. See the following commands below:

dir C:\Users\{REDACTED}\.ssh\known_hosts

dir

C:\users\{REDACTED}\appdata\roaming\Mozilla\firefox\profile

s

mimikatz.exe

reg query hklm\software\OpenSSH

reg query hklm\software\OpenSSH\Agent

reg query hklm\software\realvnc

reg query hklm\software\realvnc\vncserver

reg query hklm\software\realvnc\Allusers

reg query hklm\software\realvnc\Allusers\vncserver

reg query hkcu\software\{REDACTED}\putty\session

reg save hklm\sam ss.dat

reg save hklm\system sy.dat

Along with operating system and domain credentials, Volt Typhoon extracts information from local web browser applications. Microsoft detected the threat actors staging the collected data in password-protected archives.

 

 

defense

As Volt Typhoon continues their attacks, news is slowly surfacing of exactly which U.S. critical infrastructure entities were breached. One of those entities is the U.S. Navy. The U.S Navy Secretary Carlos Del Toro stated that the recent cyber attacks from Volt Typhoon have in fact impacted the U.S. Navy. While Del Toro did not provide further detail, he did state that he was not surprised that China was “behaving in this manner, not just for the last couple of years, but for decades.”

The recent breach of U.S. critical infrastructure is believed to be a strategic move aimed at granting China access in case of a future conflict with the U.S. While threat actors target critical infrastructure for various reasons, their consistent focus suggests preparations for a potential cyber attack.

Detecting and mitigating an attack from the Volt Typhoon can pose challenges due to its reliance on legitimate accounts and the use of living-off-the-land binaries (LOLBins). It is crucial to address the issue by either closing or changing compromised accounts.

To prevent the misuse of SOHO devices, it is important for owners to ensure that network management interfaces are not accessible from the Internet. In cases where such exposure is necessary, device owners and operators should adhere to zero trust principles and implement robust authentication and access controls to maintain a high level of security. Also, because Volt Typhoon exploits ntds.dit, it’s important to implement best practices such as strengthening the security of Domain Controllers and regularly monitoring event logs for activities involving ntdsutil.exe and similar processes.

Furthermore, it is important to carefully audit and verify any usage of administrator privileges to ensure the authenticity and legitimacy of executed commands. By following these practices, organizations can bolster the protection of ntds.dit and mitigate potential risks and unauthorized access. Please see Avertium’s Recommendations section for mitigation and logging recommendations.

 

 

MITRE MAP

 

 

avertium's recommendations

Avertium, CISA, the FBI, and the NSA recommend the following mitigations:
  • Defenders should harden domain controllers and monitor event logs [T] for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required [X].
  • Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  • In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network [F].
Logging Recommendations per CISA, the FBI, and the NSA:
  • To be able to detect the activity described in this CSA, defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. Otherwise, the default logging configurations may not contain the necessary information.
    • Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes.
  • To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events.
  • Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network.
    • Such an architecture makes it harder for an actor to cover their tracks as evidence of their actions will be captured in multiple locations.
  • Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are not cleared and this is a known actor tactic to cover their tracks.
    • Even if an event log is cleared on a host, if the logs are also stored on a logging server, the copy of the log will be preserved.
  • Defenders should enable logging on their edge devices, to include system logs, to be able to identify potential exploitation and lateral movement. They should also enable network-level logging, such as sysmon, webserver, middleware, and network device logs.

 

 

how avertium is protecting our customers

Avertium’s Capability Management Team has found several detections for activity related to Volt Typhoon:

Please Note: These detections could have a high volume of false positives and are not a replacement for a proper security policy. Unused but enabled services like WMIC can increase risk.

New Port Forwarding Rule Added Via Netsh.EXX

Detects the execution of netsh commands that configure a new port forwarding rule

Shadow Copies Creation Using Operating Systems Utilities

Detects Shadow Copies creation using operating systems utilities.

PortProxy Registry Key

Detects the modification of PortProxy registry key which is used for port forwarding.

Process Memory Dump Via Comsvcs.DLL

Detects a process memory dump via "comsvcs.dll" using rundll32.

Activity Related to NTDS.dit Domain Hash Retrieval

Detects suspicious commands that uses NTDS.dit file remotely

Suspicious Process Patterns NTDS.DIT Exfil

Detects suspicious process patterns used in NTDS.DIT exfiltration.

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe.

Ntdsutil obtaining SeBackupPrivilege

Matches on the ntdsutil.exe system utility obtaining SeBackupPrivilege privileges, bypassing ACL.

Explorer mounting a ntdsutil snapshot

Detects possible attempt to dump AD credentials from the NTDS database.

Vssadmin utility used to create snapshot (Sysmon)

Detects execution of the snapshot creation command.

Vssadmin utility used to create snapshot (Windows auditing)

Detects execution of the snapshot creation command.

Suspicious Usage of Ntdsutil

Detects use of Ntdsutil.exe.

 

Avertium also has the following services to help your organization remain safe:

  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes. 
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
 
 
INDICATORS OF COMPROMISE (IoCS)
 

CISA and the FBI have found the following IoCs for Volt Typhoon:

  • Exploiting vulnerabilities in widely used software including, but not limited to:
    • CVE-2021-40539—ManageEngine ADSelfService Plus.
    • CVE-2021-27860—FatPipe WARP, IPVPN, MPVPN.

  • Using living off the land tools for discovery, lateral movement, and collection activities, to include:
    • certutil
    • dnscmd
    • ldifde
    • makecab
    • net user/group/use
    • netsh
    • nltest
    • ntdsutil
    • PowerShell
    • req query/save
    • systeminfo
    • tasklist
    • wevtutil
    • wmic
    • xcopy

  • Using compromised Small-Office Home-Office (SOHO) devices (e.g. routers) to obfuscate the source of the activity.
  • File Paths
    • C:\Users\Public\Appfile (including subdirectories)
    • C:\Perflogs (including subdirectories)
    • C:\Windows\Temp (including subdirectories)

  • SHA-256 File Hashes
    • f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
    • ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
    • d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
    • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
    • 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
    • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
    • 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
    • c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
    • 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
    • fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
    • ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog

CSA_Living_off_the_Land.PDF (defense.gov)

US Navy ‘impacted’ by Volt Typhoon group, as attacks on more critical infrastructure sectors emerge - Industrial Cyber

China-backed Volt Typhoon group strikes US critical infrastructure using ‘living-off-the-land’ techniques - Industrial Cyber

Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors.PDF (defense.gov)

Chinese hackers breach US critical infrastructure in stealthy attacks (bleepingcomputer.com)

Threat Brief: Attacks on Critical Infrastructure Attributed to Volt Typhoon (paloaltonetworks.com)

Microsoft warns of Volt Typhoon, latest salvo in global cyberwar (techrepublic.com)

Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor - Blog | Tenable®

Living off the Land: Hunting TTPs from CACTUS Ransomware and Volt Typhoon | Threat SnapShot - YouTube

Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage (picussecurity.com)

Five Eyes nations warn of attacks by Volt Typhoon Chinese hackers (techmonitor.ai)

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.